diff --git a/CHANGES b/CHANGES
index 4ebc9364ce..d702d85b3f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,407 @@
 
+2.4-613 | 2016-06-14 18:10:37 -0700
+
+  * Preventing the event processing from looping endlessly when an
+    event reraised itself during execution of its handlers. (Robin
+    Sommer)
+
+2.4-612 | 2016-06-14 17:42:52 -0700
+
+  * Improved handling of 802.11 headers. (Jan Grashoefer)
+
+2.4-609 | 2016-06-14 17:15:28 -0700
+
+  * Fixed table expiration evaluation. The expiration attribute
+    expression is now evaluated for every use. Thus later adjustments
+    of the value (e.g. by redefining a const) will now take effect.
+    Values less than 0 will disable expiration. (Jan Grashoefer)
+
+2.4-606 | 2016-06-14 16:11:07 -0700
+
+  * Fix parsing precedence of "hook" expression. Addresses BIT-1619
+    (Johanna Amann)
+
+  * Update the "configure" usage message for --with-caf (Daniel
+    Thayer)
+
+2.4-602 | 2016-06-13 08:16:34 -0700
+
+  * Fixing Covertity warning (CID 1356391). (Robin Sommer)
+
+  * Guarding against reading beyond packet data when accessing L2
+    address in Radiotap header. (Robin Sommer)
+
+2.4-600 | 2016-06-07 15:53:19 -0700
+
+  * Fixing typo in BIF macros. Reported by Jeff Barber. (Robin Sommer)
+
+2.4-599 | 2016-06-07 12:37:32 -0700
+
+  * Add new functions haversine_distance() and haversine_distance_ip()
+    for calculating geographic distances. They requires that Bro be
+    built with libgeoip. (Aashish Sharma/Daniel Thayer).
+
+2.4-597 | 2016-06-07 11:46:45 -0700
+
+  * Fixing memory leak triggered by new MAC address logging. (Robin
+    Sommer)
+
+2.4-596 | 2016-06-07 11:07:29 -0700
+
+  * Don't create debug.log immediately upon startup (BIT-1616).
+    (Daniel Thayer)
+
+2.4-594 | 2016-06-06 18:11:16 -0700
+
+  * ASCII Input: Accept DOS/Windows newlines. Addresses BIT-1198
+    (Johanna Amann)
+
+  * Fix BinPAC exception in RFB analyzer. (Martin van Hensbergen)
+
+  * Add URL decoding for the unofficial %u00AE style of encoding. (Seth Hall)
+
+  * Remove the unescaped_special_char HTTP weird. (Seth Hall)
+
+2.4-588 | 2016-06-06 17:59:34 -0700
+
+  * Moved link-layer addresses into endpoints. The link-layer
+    addresses are now part of the connection endpoints following the
+    originator/responder pattern. (Jan Grashoefer)
+
+  * Link-layer addresses are extracted for 802.11 plus RadioTap. (Jan
+    Grashoefer)
+
+  * Fix coverity error (uninitialized variable) (Johanna Amann)
+
+  * Use ether_ntoa instead of ether_ntoa_r
+
+    The latter is thread-safe, but a GNU addition which does not exist on
+    OS-X. Since the function only is called in the main thread, it should
+    not matter if it is or is not threadsafe. (Johanna Amann)
+
+  * Fix FreeBSD/OSX compile problem due to headers (Johanna Amann)
+
+2.4-581 | 2016-05-30 10:58:19 -0700
+
+  * Adding missing new script file mac-logging.bro. (Robin Sommer)
+
+2.4-580 | 2016-05-29 13:41:10 -0700
+
+  * Add Ethernet MAC addresses to connection record. c$eth_src and
+    c$eth_dst now contain the Ethernet address if available. A new
+    script protocols/conn/mac-logging.bro adds these to conn.log when
+    loaded. (Robin Sommer)
+
+2.4-579 | 2016-05-29 08:54:57 -0700
+
+  * Fixing Coverity warning. Addresses CID 1356116. (Robin Sommer)
+
+  * Fixing FTP cwd getting overlue long. (Robin Sommer)
+
+  * Clarifying notice documentation. Addresses BIT-1405. (Robin
+    Sommer)
+
+  * Changing protocol_{confirmation,violation} events to queue like
+    any other event. Addresses BIT-1530. (Robin Sommer)
+
+  * Normalizing test baseline. (Robin Sommer)
+
+  * Do not use scientific notations when printing doubles in logs.
+    Addresses BIT-1558. (Robin Sommer)
+
+2.4-573 | 2016-05-23 13:21:03 -0700
+
+  * Ignoring packets with negative timestamps. Addresses BIT-1562 and
+    BIT-1443. (Robin Sommer)
+
+2.4-572 | 2016-05-23 12:45:23 -0700
+
+  * Fix for a table refering to a expire function that's not defined.
+    Addresses BIT-1597. (Robin Sommer)
+
+2.4-571 | 2016-05-23 08:26:43 -0700
+
+  * Fixing a few Coverity warnings. (Robin Sommer)
+
+2.4-569 | 2016-05-18 07:39:35 -0700
+
+  * DTLS: Use magix constant from RFC 5389 for STUN detection.
+    (Johanna Amann)
+
+  * DTLS: Fix binpac bug with DTLSv1.2 client hellos. (Johanna Amann)
+
+  * DTLS: Fix interaction with STUN. Now the DTLS analyzer cleanly
+    skips all STUN messages. (Johanna Amann)
+
+  * Fix the way that child analyzers are added. (Johanna Amann)
+
+2.4-563 | 2016-05-17 16:25:21 -0700
+
+  * Fix duplication of new_connection_contents event. Addresses
+    BIT-1602 (Johanna Amann)
+
+  * SMTP: Support SSL upgrade via X-ANONYMOUSTLS This seems to be a
+    non-standardized microsoft extension that, besides having a
+    different name, works pretty much the same as StartTLS. We just
+    treat it as such. (Johanna Amann)
+
+  * Fixing control framework's net_stats and peer_status commands. For
+    the latter, this removes most of the values returned, as we don't
+    have access to them anymore. (Robin Sommer)
+
+2.4-555 | 2016-05-16 20:10:15 -0700
+
+  * Fix failing plugin tests on OS X 10.11. (Daniel Thayer)
+
+  * Fix failing test on Debian/FreeBSD. (Johanna Amann)
+
+2.4-552 | 2016-05-12 08:04:33 -0700
+
+  * Fix a bug in receiving remote logs via broker. (Daniel Thayer)
+
+  * Fix Bro and unit tests when broker is not enabled. (Daniel Thayer)
+
+  * Added interpreter error for local event variables. (Jan Grashoefer)
+
+2.4-544 | 2016-05-07 12:19:07 -0700
+
+  * Switching all use of gmtime and localtime to use reentrant
+    variants. (Seth Hall)
+
+2.4-541 | 2016-05-06 17:58:45 -0700
+
+  * A set of new built-in function for gathering execution statistics:
+
+      get_net_stats(), get_conn_stats(), get_proc_stats(),
+      get_event_stats(), get_reassembler_stats(), get_dns_stats(),
+      get_timer_stats(), get_file_analysis_stats(), get_thread_stats(),
+      get_gap_stats(), get_matcher_stats().
+
+    net_stats() resource_usage() have been superseded by these. (Seth
+    Hall)
+
+  * New policy script misc/stats.bro that records Bro execution
+    statistics in a standard Bro log file. (Seth Hall)
+
+  * A series of documentation improvements. (Daniel Thayer)
+
+  * Rudimentary XMPP StartTLS analyzer. It parses certificates out of
+    XMPP connections using StartTLS. It aborts processing if StartTLS
+    is not found. (Johanna Amann)
+
+2.4-507 | 2016-05-03 11:18:16 -0700
+
+  * Fix incorrect type tags in Bro broker source code. These are just
+    used for error reporting. (Daniel Thayer)
+
+  * Update docs and tests of the fmt() function. (Daniel Thayer)
+
+2.4-500 | 2016-05-03 11:16:50 -0700
+
+  * Updating submodule(s).
+
+2.4-498 | 2016-04-28 11:34:52 -0700
+
+  * Rename Broker::print to Broker::send_print and Broker::event to
+    Broker::send_event to avoid using reserved keywords as function
+    names. (Daniel Thayer)
+
+  * Add script wrapper functions for Broker BIFs. This faciliates
+    documenting them through Broxygen. (Daniel Thayer)
+
+  * Extend, update, and clean up Broker tests. (Daniel Thayer)
+
+  * Intel: Allow to provide uid/fuid instead of conn/file. (Johanna
+    Amann)
+
+  * Provide file IDs for hostname matches in certificates. (Johanna
+    Amann)
+
+  * Rudimentary IMAP StartTLS analyzer. It parses certificates out of
+    IMAP connections using StartTLS. It aborts processing if StartTLS
+    is not found. (Johanna Amann)
+
+2.4-478 | 2016-04-28 09:56:24
+
+  * Fix parsing of x509 pre-y2k dates. (Johanna Amann)
+
+  * Fix small error in bif documentation. (Johanna Amann)
+
+  * Fix unknown data link type error message. (Vitaly Repin)
+
+  * Correcting spelling errors. (Jeannette Dopheide)
+
+  * Minor cleanup in ARP analyzer. (Johanna Amann)
+
+  * Fix parsing of pre-y2k dates in X509 certificates. (Johanna Amann)
+
+  * Fix small error in get_current_packet documentation. (Johanna Amann)
+
+2.4-471 | 2016-04-25 15:37:15 -0700
+
+  * Add DNS tests for huge TLLs and CAA. (Johanna Amann)
+
+  * Add DNS "CAA" RR type and event. (Mark Taylor)
+
+  * Fix DNS response parsing: TTLs are unsigned. (Mark Taylor)
+
+2.4-466 | 2016-04-22 16:25:33 -0700
+
+  * Rename BrokerStore and BrokerComm to Broker. Also split broker main.bro
+    into two scripts. (Daniel Thayer)
+
+  * Add get_current_packet_header bif. (Jan Grashoefer)
+
+2.4-457 | 2016-04-22 08:36:27 -0700
+
+  * Fix Intel framework not checking the CERT_HASH indicator type. (Johanna Amann)
+
+2.4-454 | 2016-04-14 10:06:58 -0400
+
+  * Additional mime types for file identification and a few fixes. (Seth Hall)
+
+    New file mime types:
+     - .ini files
+     - MS Registry policy files
+     - MS Registry files
+     - MS Registry format files (e.g. DESKTOP.DAT)
+     - MS Outlook PST files
+     - Apple AFPInfo files
+
+    Mime type fixes:
+     - MP3 files with ID3 tags.
+     - JSON and XML matchers were extended
+
+  * Avoid a macro name conflict on FreeBSD. (Seth Hall, Daniel Thayer)
+
+2.4-452 | 2016-04-13 01:15:20 -0400
+
+  * Add a simple file entropy analyzer. (Seth Hall)
+
+  * Analyzer and bro script for RFB/VNC protocol (Martin van Hensbergen)
+
+    This analyzer parses the Remote Frame Buffer
+    protocol, usually referred to as the 'VNC protocol'.
+
+    It supports several dialects (3.3, 3.7, 3.8) and
+    also handles the Apple Remote Desktop variant.
+
+    It will log such facts as client/server versions,
+    authentication method used, authentication result,
+    height, width and name of the shared screen.
+
+
+2.4-430 | 2016-04-07 13:36:36 -0700
+
+  * Fix regex literal in scripting documentation. (William Tom)
+
+2.4-428 | 2016-04-07 13:33:08 -0700
+
+  * Confirm protocol in SNMP/SIP only if we saw a response SNMP/SIP
+    packet. (Vlad Grigorescu)
+
+2.4-424 | 2016-03-24 13:38:47 -0700
+
+  * Only load openflow/netcontrol if compiled with broker. (Johanna Amann)
+
+  * Adding canonifier to test. (Robin Sommer)
+
+2.4-422 | 2016-03-21 19:48:30 -0700
+
+  * Adapt to recent change in CAF CMake script. (Matthias Vallentin)
+
+  * Deprecate --with-libcaf in favor of --with-caf, as already done in
+    Broker. (Matthias Vallentin)
+
+2.4-418 | 2016-03-21 12:22:15 -0700
+
+  * Add protocol confirmation to MySQL analyzer. (Vlad Grigorescu)
+
+  * Check that there is only one of &read_expire, &write_expire,
+    &create_expire. (Johanna Amann)
+
+  * Fixed &read_expire for subnet-indexed tables, plus test case. (Jan
+    Grashoefer)
+
+  * Add filter_subnet_table() that works similar to matching_subnet()
+    but returns a filtered view of the original set/table only
+    containing the changed subnets. (Jan Grashoefer)
+
+  * Fix bug in tablue values' tracking read operations. (Johanna
+    Amann)
+
+  * Update TLS constants and extensions from IANA. (Johanna Amann)
+
+2.4-406 | 2016-03-11 14:27:47 -0800
+
+  * Add NetControl and OpenFlow frameworks.  (Johanna Amann)
+
+2.4-313 | 2016-03-08 07:47:57 -0800
+
+  * Remove old string functions in C++ code. This removes the
+    functions: strcasecmp_n, strchr_n, and strrchr_n. (Johanna Amann)
+
+2.4-307 | 2016-03-07 13:33:45 -0800
+
+  * Add "disable_analyzer_after_detection" and remove
+    "skip_processing_after_detection". Addresses BIT-1545.
+    (Aaron Eppert & Johanna Amann)
+
+  * Add bad_HTTP_request_with_version weird (William Glodek)
+
+2.4-299 | 2016-03-04 12:51:55 -0800
+
+  * More detailed installation instructions for FreeBSD 9.X. (Johanna Amann)
+
+  * Update CMake OpenSSL checks. (Johanna Amann)
+
+  * "SUBSCRIBE" is a valid SIP. message per RFC 3265. Addresses
+     BIT-1529. (Johanna Amann)
+
+  * Update documentation for connection log's RSTR. Addresses BIT-1535
+    (Johanna Amann)
+
+2.4-284 | 2016-02-17 14:12:15 -0800
+
+  * Fix sometimes failing dump-events test. (Johanna Amann)
+
+2.4-282 | 2016-02-13 10:48:21 -0800
+
+  * Add missing break in in StartTLS case of IRC analyzer. Found by
+    Aaron Eppert. (Johanna Amann)
+
+2.4-280 | 2016-02-13 10:40:16 -0800
+
+  * Fix memory leaks in stats.cc and smb.cc. (Johanna Amann)
+
+2.4-278 | 2016-02-12 18:53:35 -0800
+
+  * Better multi-space separator handline. (Mark Taylor & Johanna Amann)
+
+2.4-276 | 2016-02-10 21:29:33 -0800
+
+  * Allow IRC commands to not have parameters. (Mark Taylor)
+
+2.4-272 | 2016-02-08 14:27:58 -0800
+
+  * fix memory leaks in find_all() and IRC analyzer. (Dirk Leinenbach)
+
+2.4-270 | 2016-02-08 13:00:57 -0800
+
+  * Removed duplicate parameter for IRC "QUIT" event handler. (Mark Taylor)
+
+2.4-267 | 2016-02-01 12:38:32 -0800
+
+  * Add testcase for CVE-2015-3194. (Johanna Amann)
+
+  * Fix portability issue with use of mktemp. (Daniel Thayer)
+
+2.4-260 | 2016-01-28 08:05:27 -0800
+
+  * Correct irc_privmsg_message event handling bug. (Mark Taylor)
+
+  * Update copyright year for Sphinx. (Johanna Amann)
+
 2.4-253 | 2016-01-20 17:41:20 -0800
 
   * Support of RadioTap encapsulation for 802.11 (Seth Hall)
@@ -1895,21 +2298,21 @@
 2.3-beta-18 | 2014-06-06 13:11:50 -0700
 
   * Add two more SSL events, one triggered for each handshake message
-    and one triggered for the tls change cipherspec message. (Bernhard
+    and one triggered for the tls change cipherspec message. (Johanna
     Amann)
 
   * Small SSL bug fix. In case SSL::disable_analyzer_after_detection
     was set to false, the ssl_established event would fire after each
-    data packet once the session is established. (Bernhard Amann)
+    data packet once the session is established. (Johanna Amann)
 
 2.3-beta-16 | 2014-06-06 13:05:44 -0700
 
   * Re-activate notice suppression for expiring certificates.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.3-beta-14 | 2014-06-05 14:43:33 -0700
 
-  * Add new TLS extension type numbers from IANA (Bernhard Amann)
+  * Add new TLS extension type numbers from IANA (Johanna Amann)
 
   * Switch to double hashing for Bloomfilters for better performance.
     (Matthias Vallentin)
@@ -1919,7 +2322,7 @@
     (Matthias Vallentin)
 
   * Make buffer for X509 certificate subjects larger. Addresses
-    BIT-1195 (Bernhard Amann)
+    BIT-1195 (Johanna Amann)
 
 2.3-beta-5 | 2014-05-29 15:34:42 -0500
 
@@ -1941,19 +2344,19 @@
 
   * Release 2.3-beta
 
-  * Clean up OpenSSL data structures on exit. (Bernhard Amann)
+  * Clean up OpenSSL data structures on exit. (Johanna Amann)
 
-  * Fixes for OCSP & x509 analysis memory leak issues. (Bernhard Amann)
+  * Fixes for OCSP & x509 analysis memory leak issues. (Johanna Amann)
 
   * Remove remaining references to BROMAGIC (Daniel Thayer)
 
   * Fix typos and formatting in event and BiF documentation (Daniel Thayer)
 
   * Update intel framework plugin for ssl server_name extension API
-    changes. (Bernhard Amann, Justin Azoff)
+    changes. (Johanna Amann, Justin Azoff)
 
   * Fix expression errors in SSL/x509 scripts when unparseable data
-    is in certificate chain. (Bernhard Amann)
+    is in certificate chain. (Johanna Amann)
 
 2.2-478 | 2014-05-19 15:31:33 -0500
 
@@ -1962,7 +2365,7 @@
 
 2.2-477 | 2014-05-19 14:13:00 -0500
 
-  * Fix X509::Result record's "result" field to be set internally as type int instead of type count. (Bernhard Amann)
+  * Fix X509::Result record's "result" field to be set internally as type int instead of type count. (Johanna Amann)
 
   * Fix a couple of doc build warnings (Daniel Thayer)
 
@@ -1980,19 +2383,19 @@
 
   * New script policy/protocols/ssl/validate-ocsp.bro that adds OSCP
     validation to ssl.log. The work is done by a new bif
-    x509_ocsp_verify(). (Bernhard Amann)
+    x509_ocsp_verify(). (Johanna Amann)
 
   * STARTTLS support for POP3 and SMTP. The SSL analyzer takes over
     when seen. smtp.log now logs when a connection switches to SSL.
-    (Bernhard Amann)
+    (Johanna Amann)
 
-  * Replace errors when parsing x509 certs with weirds. (Bernhard
+  * Replace errors when parsing x509 certs with weirds. (Johanna
     Amann)
 
-  * Improved Heartbleed attack/scan detection. (Bernhard Amann)
+  * Improved Heartbleed attack/scan detection. (Johanna Amann)
 
   * Let TLS analyzer fail better when no longer in sync with the data
-    stream. (Bernhard Amann)
+    stream. (Johanna Amann)
 
 2.2-444 | 2014-05-16 14:10:32 -0500
 
@@ -2011,7 +2414,7 @@
 
 2.2-427 | 2014-05-15 13:37:23 -0400
 
-  * Fix dynamic SumStats update on clusters (Bernhard Amann)
+  * Fix dynamic SumStats update on clusters (Johanna Amann)
 
 2.2-425 | 2014-05-08 16:34:44 -0700
 
@@ -2063,11 +2466,11 @@
 
   * Add DH support to SSL analyzer.  When using DHE or DH-Anon, sever
     key parameters are now available in scriptland.  Also add script to
-    alert on weak certificate keys or weak dh-params. (Bernhard Amann)
+    alert on weak certificate keys or weak dh-params. (Johanna Amann)
 
-  * Add a few more ciphers Bro did not know at all so far. (Bernhard Amann)
+  * Add a few more ciphers Bro did not know at all so far. (Johanna Amann)
 
-  * Log chosen curve when using ec cipher suite in TLS. (Bernhard Amann)
+  * Log chosen curve when using ec cipher suite in TLS. (Johanna Amann)
 
 2.2-397 | 2014-05-01 20:29:20 -0700
 
@@ -2079,7 +2482,7 @@
     (Jon Siwek)
 
   * Correct a notice for heartbleed. The notice is thrown correctly,
-    just the message conteined wrong values. (Bernhard Amann)
+    just the message conteined wrong values. (Johanna Amann)
 
   * Improve/standardize some malloc/realloc return value checks. (Jon
     Siwek)
@@ -2106,7 +2509,7 @@
 2.2-377 | 2014-04-24 16:57:54 -0700
 
   * A larger set of SSL improvements and extensions. Addresses
-    BIT-1178. (Bernhard Amann)
+    BIT-1178. (Johanna Amann)
 
         - Fixes TLS protocol version detection. It also should
           bail-out correctly on non-tls-connections now
@@ -2167,9 +2570,9 @@
 
 2.2-335 | 2014-04-10 15:04:57 -0700
 
-  * Small logic fix for main SSL script. (Bernhard Amann)
+  * Small logic fix for main SSL script. (Johanna Amann)
 
-  * Update DPD signatures for detecting TLS 1.2. (Bernhard Amann)
+  * Update DPD signatures for detecting TLS 1.2. (Johanna Amann)
 
   * Remove unused data member of SMTP_Analyzer to silence a Coverity
     warning. (Jon Siwek)
@@ -2198,7 +2601,7 @@
 2.2-315 | 2014-04-01 16:50:01 -0700
 
   * Change logging's "#types" description of sets to "set". Addresses
-    BIT-1163 (Bernhard Amann)
+    BIT-1163 (Johanna Amann)
 
 2.2-313 | 2014-04-01 16:40:19 -0700
 
@@ -2213,7 +2616,7 @@
     (Jon Siwek)
 
   * Fix potential memory leak in x509 parser reported by Coverity.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.2-304 | 2014-03-30 23:05:54 +0200
 
@@ -2284,7 +2687,7 @@
     from the certificates (e.g. elliptic curve information, subject
     alternative names, basic constraints). Certificate validation also
     was improved, should be easier to use and exposes information like
-    the full verified certificate chain. (Bernhard Amann)
+    the full verified certificate chain. (Johanna Amann)
 
     This update changes the format of ssl.log and adds a new x509.log
     with certificate information. Furthermore all x509 events and
@@ -2322,7 +2725,7 @@
 2.2-256 | 2014-03-30 19:57:28 +0200
 
   * For the summary statistics framewirk, change all &create_expire
-    attributes to &read_expire in the cluster part. (Bernhard Amann)
+    attributes to &read_expire in the cluster part. (Johanna Amann)
 
 2.2-254 | 2014-03-30 19:55:22 +0200
 
@@ -2346,7 +2749,7 @@
 2.2-244 | 2014-03-17 08:24:17 -0700
 
   * Fix compile errror on FreeBSD caused by wrong include file order.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.2-240 | 2014-03-14 10:23:54 -0700
 
@@ -2442,7 +2845,7 @@
 
   * Improve SSL logging so that connections are logged even when the
     ssl_established event is not generated as well as other small SSL
-    fixes. (Bernhard Amann)
+    fixes. (Johanna Amann)
 
 2.2-206 | 2014-03-03 16:52:28 -0800
 
@@ -2459,7 +2862,7 @@
   * Allow iterating over bif functions with result type vector of any.
     This changes the internal type that is used to signal that a
     vector is unspecified from any to void. Addresses BIT-1144
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.2-197 | 2014-02-28 15:36:58 -0800
 
@@ -2467,37 +2870,37 @@
 
 2.2-194 | 2014-02-28 14:50:53 -0800
 
-  * Remove packet sorter. Addresses BIT-700. (Bernhard Amann)
+  * Remove packet sorter. Addresses BIT-700. (Johanna Amann)
 
 2.2-192 | 2014-02-28 09:46:43 -0800
 
-  * Update Mozilla root bundle. (Bernhard Amann)
+  * Update Mozilla root bundle. (Johanna Amann)
 
 2.2-190 | 2014-02-27 07:34:44 -0800
 
-  * Adjust timings of a few leak tests. (Bernhard Amann)
+  * Adjust timings of a few leak tests. (Johanna Amann)
 
 2.2-187 | 2014-02-25 07:24:42 -0800
 
-  * More Google TLS extensions that are being actively used. (Bernhard
+  * More Google TLS extensions that are being actively used. Johanna(
     Amann)
 
   * Remove unused, and potentially unsafe, function
-    ListVal::IncludedInString. (Bernhard Amann)
+    ListVal::IncludedInString. (Johanna Amann)
 
 2.2-184 | 2014-02-24 07:28:18 -0800
 
   * New TLS constants from
     https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.2-180 | 2014-02-20 17:29:14 -0800
 
   * New SSL alert descriptions from
     https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04.
-    (Bernhard Amann)
+    (Johanna Amann)
 
-  * Update SQLite. (Bernhard Amann)
+  * Update SQLite. (Johanna Amann)
 
 2.2-177 | 2014-02-20 17:27:46 -0800
 
@@ -2528,7 +2931,7 @@
     'modbus_read_fifo_queue_response' event handler. (Jon Siwek)
 
   * Add channel_id TLS extension number. This number is not IANA
-    defined, but we see it being actively used. (Bernhard Amann)
+    defined, but we see it being actively used. (Johanna Amann)
 
   * Test baseline updates for DNS change. (Robin Sommer)
 
@@ -2570,7 +2973,7 @@
 
 2.2-147 | 2014-02-07 08:06:53 -0800
 
-  * Fix x509-extension test sometimes failing. (Bernhard Amann)
+  * Fix x509-extension test sometimes failing. (Johanna Amann)
 
 2.2-144 | 2014-02-06 20:31:18 -0800
 
@@ -2606,7 +3009,7 @@
 
 2.2-128 | 2014-01-30 15:58:47 -0800
 
-  * Add leak test for Exec module. (Bernhard Amann)
+  * Add leak test for Exec module. (Johanna Amann)
 
   * Fix file_over_new_connection event to trigger when entire file is
     missed. (Jon Siwek)
@@ -2624,7 +3027,7 @@
 2.2-120 | 2014-01-28 10:25:23 -0800
 
   * Fix and extend x509_extension() event, which now actually returns
-    the extension. (Bernhard Amann)
+    the extension. (Johanna Amann)
 
     New event signauture:
 
@@ -2739,7 +3142,7 @@
 
   * Several improvements to input framework error handling for more
     robustness and more helpful error messages. Includes tests for
-    many cases. (Bernhard Amann)
+    many cases. (Johanna Amann)
 
 2.2-66 | 2013-12-09 13:54:16 -0800
 
@@ -2765,7 +3168,7 @@
   * Fix memory leak in input framework. If the input framework was
     used to read event streams and those streams contained records
     with more than one field, not all elements of the threading Values
-    were cleaned up. Addresses BIT-1103. (Bernhard Amann)
+    were cleaned up. Addresses BIT-1103. (Johanna Amann)
 
   * Minor Broxygen improvements. Addresses BIT-1098. (Jon Siwek)
 
@@ -2809,7 +3212,7 @@
 2.2-40 | 2013-12-04 12:16:38 -0800
 
   * ssl_client_hello() now receives a vector of ciphers, instead of a
-    set, to preserve their order. (Bernhard Amann)
+    set, to preserve their order. (Johanna Amann)
 
 2.2-38 | 2013-12-04 12:10:54 -0800
 
@@ -2946,13 +3349,13 @@
 2.2-beta-157 | 2013-10-25 11:11:17 -0700
 
   * Extend the documentation of the SQLite reader/writer framework.
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Fix inclusion of wrong example file in scripting tutorial.
-    Reported by Michael Auger @LM4K. (Bernhard Amann)
+    Reported by Michael Auger @LM4K. (Johanna Amann)
 
   * Alternative fix for the thrading deadlock issue to avoid potential
-    performance impact. (Bernhard Amann)
+    performance impact. (Johanna Amann)
 
 2.2-beta-152 | 2013-10-24 18:16:49 -0700
 
@@ -2965,7 +3368,7 @@
 2.2-beta-150 | 2013-10-24 16:32:14 -0700
 
   * Change temporary ASCII reader workaround for getline() on
-    Mavericks to permanent fix. (Bernhard Amann)
+    Mavericks to permanent fix. (Johanna Amann)
 
 2.2-beta-148 | 2013-10-24 14:34:35 -0700
 
@@ -2979,7 +3382,7 @@
   * Intel framework notes added to NEWS. (Seth Hall)
 
   * Temporary OSX Mavericks libc++ issue workaround for getline()
-    problem in ASCII reader. (Bernhard Amann)
+    problem in ASCII reader. (Johanna Amann)
 
   * Change test of identify_data BIF to ignore charset as it may vary
     with libmagic version. (Jon Siwek)
@@ -3022,16 +3425,16 @@
 
 2.2-beta-80 | 2013-10-18 13:18:05 -0700
 
-  * SQLite reader/writer documentation. (Bernhard Amann)
+  * SQLite reader/writer documentation. (Johanna Amann)
 
   * Check that the SQLite reader is only used in MANUAL reading mode.
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Rename the SQLite writer "dbname" configuration option to
-    "tablename". (Bernhard Amann)
+    "tablename". (Johanna Amann)
 
   * Remove the "dbname" configuration option from the SQLite reader as
-    it wasn't used there. (Bernhard Amann)
+    it wasn't used there. (Johanna Amann)
 
 2.2-beta-73 | 2013-10-14 14:28:25 -0700
 
@@ -3063,9 +3466,9 @@
 
 2.2-beta-55 | 2013-10-10 13:36:38 -0700
 
-  * A couple of new TLS extension numbers. (Bernhard Amann)
+  * A couple of new TLS extension numbers. (Johanna Amann)
 
-  * Suport for three more new TLS ciphers. (Bernhard Amann)
+  * Suport for three more new TLS ciphers. (Johanna Amann)
 
   * Removing ICSI notary from default site config. (Robin Sommer)
 
@@ -3110,7 +3513,7 @@
 
 2.2-beta-18 | 2013-10-02 10:28:17 -0700
 
-  * Add support for further TLS cipher suites. (Bernhard Amann)
+  * Add support for further TLS cipher suites. (Johanna Amann)
 
 2.2-beta-13 | 2013-10-01 11:31:55 -0700
 
@@ -3160,7 +3563,7 @@
 
   * Add links to Intelligence Framework documentation. (Daniel Thayer)
 
-  * Update Mozilla root CA list. (Bernhard Amann, Jon Siwek)
+  * Update Mozilla root CA list. (Johanna Amann, Jon Siwek)
 
   * Update documentation of required packages. (Daniel Thayer)
 
@@ -3171,10 +3574,10 @@
 
 2.1-1357 | 2013-09-18 14:58:52 -0700
 
-  * Update HLL API and its documentation. (Bernhard Amann)
+  * Update HLL API and its documentation. (Johanna Amann)
 
   * Fix case in HLL where hll_error_margin could be undefined.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.1-1352 | 2013-09-18 14:42:28 -0700
 
@@ -3235,7 +3638,7 @@
 
 
   * Support for probabilistic set cardinality, using the HyperLogLog
-    algorithm. (Bernhard Amann, Soumya Basu)
+    algorithm. (Johanna Amann, Soumya Basu)
 
     Bro now provides the following BiFs:
 
@@ -3274,7 +3677,7 @@
 2.1-1137 | 2013-08-27 13:26:44 -0700
 
   * Add BiF hexstr_to_bytestring() that does exactly the opposite of
-    bytestring_to_hexstr(). (Bernhard Amann)
+    bytestring_to_hexstr(). (Johanna Amann)
 
 2.1-1135 | 2013-08-27 12:16:26 -0700
 
@@ -3346,7 +3749,7 @@
 
 2.1-1078 | 2013-08-19 09:29:30 -0700
 
-  * Moving sqlite code into new external 3rdparty submodule. (Bernhard
+  * Moving sqlite code into new external 3rdparty submodule. Johanna(
     Amann)
 
 2.1-1074 | 2013-08-14 10:29:54 -0700
@@ -3446,12 +3849,12 @@
 
 2.1-1007 | 2013-08-01 15:41:54 -0700
 
-  * More function documentation. (Bernhard Amann)
+  * More function documentation. (Johanna Amann)
 
 2.1-1004 | 2013-08-01 14:37:43 -0700
 
   * Adding a probabilistic data structure for computing "top k"
-    elements. (Bernhard Amann)
+    elements. (Johanna Amann)
 
     The corresponding functions are:
 
@@ -3485,7 +3888,7 @@
 2.1-948 | 2013-07-31 20:08:28 -0700
 
   * Fix segfault caused by merging an empty bloom-filter with a
-    bloom-filter already containing values. (Bernhard Amann)
+    bloom-filter already containing values. (Johanna Amann)
 
 2.1-945 | 2013-07-30 10:05:10 -0700
 
@@ -3625,12 +4028,12 @@
 2.1-814 | 2013-07-15 18:18:20 -0700
 
   * Fixing raw reader crash when accessing nonexistant file, and
-    memory leak when reading from file. Addresses #1038. (Bernhard
+    memory leak when reading from file. Addresses #1038. (Johanna
     Amann)
 
 2.1-811 | 2013-07-14 08:01:54 -0700
 
-  * Bump sqlite to 3.7.17. (Bernhard Amann)
+  * Bump sqlite to 3.7.17. (Johanna Amann)
 
   * Small test fixes. (Seth Hall)
 
@@ -3680,7 +4083,7 @@
 2.1-780 | 2013-07-03 16:46:26 -0700
 
   * Rewrite of the RAW input reader for improved robustness and new
-    features. (Bernhard Amann) This includes:
+    features. (Johanna Amann) This includes:
 
         - Send "end_of_data" event for all kind of streams.
         - Send "process_finished" event with exit code of child
@@ -3809,12 +4212,12 @@
 
 2.1-656 | 2013-05-17 15:58:07 -0700
 
-  * Fix mutex lock problem for writers. (Bernhard Amann)
+  * Fix mutex lock problem for writers. (Johanna Amann)
 
 2.1-654 | 2013-05-17 13:49:52 -0700
 
   * Tweaks to sqlite3 configuration to address threading issues.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.1-651 | 2013-05-17 13:37:16 -0700
 
@@ -3840,7 +4243,7 @@
 
 2.1-640 | 2013-05-15 17:24:09 -0700
 
-  * Support for cleaning up threads that have terminated. (Bernhard
+  * Support for cleaning up threads that have terminated. (Johanna
     Amann and Robin Sommer). Includes:
 
       - Both logging and input frameworks now clean up threads once
@@ -3857,14 +4260,14 @@
 2.1-626 | 2013-05-15 16:09:31 -0700
 
   * Add "reservoir" sampler for SumStats framework. This maintains
-    a set of N uniquely distributed random samples. (Bernhard Amann)
+    a set of N uniquely distributed random samples. (Johanna Amann)
 
 2.1-619 | 2013-05-15 16:01:42 -0700
 
   * SQLite reader and writer combo. This allows to read/write
     persistent data from on disk SQLite databases. The current
     interface is quite low-level, we'll add higher-level abstractions
-    in the future. (Bernhard Amann)
+    in the future. (Johanna Amann)
 
 2.1-576 | 2013-05-15 14:29:09 -0700
 
@@ -3885,7 +4288,7 @@
 2.1-500 | 2013-05-10 19:22:24 -0700
 
   * Fix to prevent merge-hook of SumStat's unique plugin from damaging
-    source data. (Bernhard Amann)
+    source data. (Johanna Amann)
 
 2.1-498 | 2013-05-03 17:44:08 -0700
 
@@ -3901,7 +4304,7 @@
 2.1-492 | 2013-05-02 12:46:26 -0700
 
   * Work-around for sumstats framework not propagating updates after
-    intermediate check in cluster environments. (Bernhard Amann)
+    intermediate check in cluster environments. (Johanna Amann)
 
   * Always apply tcp_connection_attempt. Before this change it was
     only applied when a connection_attempt() event handler was
@@ -3956,7 +4359,7 @@
 2.1-380 | 2013-03-18 12:18:10 -0700
 
   * Fix gcc compile warnings in base64 encoder and benchmark reader.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.1-377 | 2013-03-17 17:36:09 -0700
 
@@ -3965,10 +4368,10 @@
 2.1-375 | 2013-03-17 13:14:26 -0700
 
   * Add base64 encoding functionality, including new BiFs
-	encode_base64() and encode_base64_custom(). (Bernhard Amann)
+	encode_base64() and encode_base64_custom(). (Johanna Amann)
 
   * Replace call to external "openssl" in extract-certs-pem.bro with
-	that encode_base64(). (Bernhard Amann)
+	that encode_base64(). (Johanna Amann)
 
   * Adding a test for extract-certs-pem.pem. (Robin Sommer)
 
@@ -4002,7 +4405,7 @@
 
 2.1-357 | 2013-03-08 09:18:35 -0800
 
-  * Fix race-condition in table-event test. (Bernhard Amann)
+  * Fix race-condition in table-event test. (Johanna Amann)
 
   * s/bro-ids.org/bro.org/g. (Robin Sommer)
 
@@ -4019,9 +4422,9 @@
 
 2.1-347 | 2013-03-06 16:48:44 -0800
 
-  * Remove unused parameter from vector assignment method. (Bernhard Amann)
+  * Remove unused parameter from vector assignment method. (Johanna Amann)
 
-  * Remove the byte_len() and length() bifs. (Bernhard Amann)
+  * Remove the byte_len() and length() bifs. (Johanna Amann)
 
 2.1-342 | 2013-03-06 15:42:52 -0800
 
@@ -4073,7 +4476,7 @@
 
 2.1-319 | 2013-02-04 09:45:34 -0800
 
-  * Update input tests to use exit_only_after_terminate. (Bernhard
+  * Update input tests to use exit_only_after_terminate. (Johanna
     Amann)
 
   * New option exit_only_after_terminate to prevent Bro from exiting.
@@ -4105,7 +4508,7 @@
 2.1-302 | 2013-01-23 16:17:29 -0800
 
   * Refactoring ASCII formatting/parsing from loggers/readers into a
-    separate AsciiFormatter class. (Bernhard Amann)
+    separate AsciiFormatter class. (Johanna Amann)
 
   * Fix uninitialized locals in event/hook handlers from having a
     value. Addresses #932. (Jon Siwek)
@@ -4136,7 +4539,7 @@
   * Removing unused class member. (Robin Sommer)
 
   * Add opaque type-ignoring for the accept_unsupported_types input
-    framework option. (Bernhard Amann)
+    framework option. (Johanna Amann)
 
 2.1-271 | 2013-01-08 10:18:57 -0800
 
@@ -4217,7 +4620,7 @@
 2.1-229 | 2012-12-14 14:46:12 -0800
 
   * Fix memory leak in ASCII reader when encoutering errors in input.
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Improvements for the "bad checksums" detector to make it detect
     bad TCP checksums. (Seth Hall)
@@ -4288,7 +4691,7 @@
     yet. Addresses #66. (Jon Siwek)
 
   * Fix segfault: Delete correct entry in error case in input
-    framework. (Bernhard Amann)
+    framework. (Johanna Amann)
 
   * Bad record constructor initializers now give an error. Addresses
     #34. (Jon Siwek)
@@ -4546,7 +4949,7 @@
   * Rename the Input Framework's update_finished event to end_of_data.
     It will now not only fire after table-reads have been completed,
     but also after the last event of a whole-file-read (or
-    whole-db-read, etc.). (Bernhard Amann)
+    whole-db-read, etc.). (Johanna Amann)
 
   * Fix for DNS log problem when a DNS response is seen with 0 RRs.
     (Seth Hall)
@@ -4561,7 +4964,7 @@
 2.1-61 | 2012-10-12 09:32:48 -0700
 
   * Fix bug in the input framework: the config table did not work.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.1-58 | 2012-10-08 10:10:09 -0700
 
@@ -4596,7 +4999,7 @@
 
   * Fix for the input framework: BroStrings were constructed without a
     final \0, which makes them unusable by basically all internal
-    functions (like to_count). (Bernhard Amann)
+    functions (like to_count). (Johanna Amann)
 
   * Remove deprecated script functionality (see NEWS for details).
     (Daniel Thayer)
@@ -4648,7 +5051,7 @@
   * Small change to non-blocking DNS initialization. (Jon Siwek)
 
   * Reorder a few statements in scan.l to make 1.5msecs etc work.
-    Adresses #872. (Bernhard Amann)
+    Adresses #872. (Johanna Amann)
 
 2.1-6 | 2012-09-06 23:23:14 -0700
 
@@ -4677,11 +5080,11 @@
   * Fix uninitialized value for 'is_partial' in TCP analyzer. (Jon
     Siwek)
 
-  * Parse 64-bit consts in Bro scripts correctly. (Bernhard Amann)
+  * Parse 64-bit consts in Bro scripts correctly. (Johanna Amann)
 
-  * Output 64-bit counts correctly on 32-bit machines (Bernhard Amann)
+  * Output 64-bit counts correctly on 32-bit machines (Johanna Amann)
 
-  * Input framework fixes, including:  (Bernhard Amann)
+  * Input framework fixes, including:  (Johanna Amann)
 
     - One of the change events got the wrong parameters.
 
@@ -4722,7 +5125,7 @@
 2.1-beta-45 | 2012-08-22 16:11:10 -0700
 
   * Add an option to the input framework that allows the user to chose
-    to not die upon encountering files/functions. (Bernhard Amann)
+    to not die upon encountering files/functions. (Johanna Amann)
 
 2.1-beta-41 | 2012-08-22 16:05:21 -0700
 
@@ -4741,7 +5144,7 @@
 2.1-beta-35 | 2012-08-22 08:44:52 -0700
 
   * Add testcase for input framework reading sets (rather than
-    tables). (Bernhard Amann)
+    tables). (Johanna Amann)
 
 2.1-beta-31 | 2012-08-21 15:46:05 -0700
 
@@ -4800,9 +5203,9 @@
 
 2.1-beta-6 | 2012-08-10 12:22:52 -0700
 
-  * Fix bug in input framework with an edge case. (Bernhard Amann)
+  * Fix bug in input framework with an edge case. (Johanna Amann)
 
-  * Fix small bug in input framework test script. (Bernhard Amann)
+  * Fix small bug in input framework test script. (Johanna Amann)
 
 2.1-beta-3 | 2012-08-03 10:46:49 -0700
 
@@ -4851,13 +5254,13 @@
     writers that don't have a postprocessor. (Seth Hall)
 
   * Update input framework documentation to reflect want_record
-    change. (Bernhard Amann)
+    change. (Johanna Amann)
 
   * Fix crash when encountering an InterpreterException in a predicate
-    in logging or input Framework. (Bernhard Amann)
+    in logging or input Framework. (Johanna Amann)
 
   * Input framework: Make want_record=T the default for events
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Changing the start/end markers in logs to open/close now
     reflecting wall clock. (Robin Sommer)
@@ -4879,10 +5282,10 @@
 
   * Add comprehensive error handling for close() calls. (Jon Siwek)
 
-  * Add more test cases for input framework. (Bernhard Amann)
+  * Add more test cases for input framework. (Johanna Amann)
 
   * Input framework: make error output for non-matching event types
-    much more verbose. (Bernhard Amann)
+    much more verbose. (Johanna Amann)
 
 2.0-877 | 2012-07-25 17:20:34 -0700
 
@@ -4922,12 +5325,12 @@
   * Fix initialization problem in logging class. (Jon Siwek)
 
   * Input framework now accepts escaped ASCII values as input (\x##),
-    and unescapes appropiately. (Bernhard Amann)
+    and unescapes appropiately. (Johanna Amann)
 
   * Make reading ASCII logfiles work when the input separator is
-    different from \t. (Bernhard Amann)
+    different from \t. (Johanna Amann)
 
-  * A number of smaller fixes for input framework. (Bernhard Amann)
+  * A number of smaller fixes for input framework. (Johanna Amann)
 
 2.0-851 | 2012-07-24 15:04:14 -0700
 
@@ -4947,7 +5350,7 @@
   * Reworking parts of the internal threading/logging/input APIs for
     thread-safety. (Robin Sommer)
 
-  * Bugfix for SSL version check. (Bernhard Amann)
+  * Bugfix for SSL version check. (Johanna Amann)
 
   * Changing a HTTP DPD from port 3138 to 3128. Addresses #857. (Robin
     Sommer)
@@ -4967,7 +5370,7 @@
     #763. (Robin Sommer)
 
   * Fix bug, where in dns.log rcode always was set to 0/NOERROR when
-    no reply package was seen. (Bernhard Amann)
+    no reply package was seen. (Johanna Amann)
 
   * Updating to Mozilla's current certificate bundle. (Seth Hall)
 
@@ -4983,7 +5386,7 @@
   * Remove baselines for some leak-detecting unit tests. (Jon Siwek)
 
   * Unblock SIGFPE, SIGILL, SIGSEGV and SIGBUS for threads, so that
-    they now propagate to the main thread. Adresses #848. (Bernhard
+    they now propagate to the main thread. Adresses #848. (Johanna
     Amann)
 
 2.0-761 | 2012-07-12 08:14:38 -0700
@@ -4991,7 +5394,7 @@
   * Some small fixes to further reduce SOCKS false positive logs. (Seth Hall)
 
   * Calls to pthread_mutex_unlock now log the reason for failures.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.0-757 | 2012-07-11 08:30:19 -0700
 
@@ -5022,11 +5425,11 @@
 
 2.0-733 | 2012-07-02 15:31:24 -0700
 
-  * Extending the input reader DoInit() API. (Bernhard Amann). It now
+  * Extending the input reader DoInit() API. (Johanna Amann). It now
     provides a Info struct similar to what we introduced for log
     writers, including a corresponding "config" key/value table.
 
-  * Fix to make writer-info work when debugging is enabled. (Bernhard
+  * Fix to make writer-info work when debugging is enabled. (Johanna
     Amann)
 
 2.0-726 | 2012-07-02 15:19:15 -0700
@@ -5065,7 +5468,7 @@
 
   * Set input frontend type before starting the thread. This means
     that the thread type will be output correctly in the error
-    message. (Bernhard Amann)
+    message. (Johanna Amann)
 
 2.0-719 | 2012-07-02 14:49:03 -0700
 
@@ -5154,7 +5557,7 @@
 
 2.0-622 | 2012-06-15 15:38:43 -0700
 
-  * Input framework updates. (Bernhard Amann)
+  * Input framework updates. (Johanna Amann)
 
     - Disable streaming reads from executed commands. This lead to
       hanging Bros because pclose apparently can wait for eternity if
@@ -5233,7 +5636,7 @@
 
   * A new input framework enables scripts to read in external data
     dynamically on the fly as Bro is processing network traffic.
-    (Bernhard Amann)
+    (Johanna Amann)
 
     Currently, the framework supports reading ASCII input that's
     structured similar as Bro's log files as well as raw blobs of
@@ -5400,7 +5803,7 @@
 2.0-315 | 2012-05-03 11:44:17 -0700
 
   * Add two more TLS extension values that we see in live traffic.
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Fixed IPv6 link local unicast CIDR and added IPv6 loopback to
     private address space. (Seth Hall)
@@ -5788,7 +6191,7 @@
 
 2.0-41 | 2012-02-03 04:10:53 -0500
 
-  * Updates to the Software framework to simplify the API. (Bernhard
+  * Updates to the Software framework to simplify the API. (Johanna
     Amann)
 
 2.0-40 | 2012-02-03 01:55:27 -0800
@@ -5931,7 +6334,7 @@
 
 2.0-beta-152 | 2012-01-03 14:51:34 -0800
 
-  * Notices now record the transport-layer protocol. (Bernhard Amann)
+  * Notices now record the transport-layer protocol. (Johanna Amann)
 
 2.0-beta-150 | 2012-01-03 14:42:45 -0800
 
@@ -5958,7 +6361,7 @@
     assignments. Addresses #722. (Jon Siwek)
 
   * Make log headers include the type of data stored inside a set or
-    vector ("vector[string]"). (Bernhard Amann)
+    vector ("vector[string]"). (Johanna Amann)
 
 2.0-beta-126 | 2011-12-18 15:18:05 -0800
 
@@ -6095,11 +6498,11 @@
   * Fix order of include directories. (Jon Siwek)
 
   * Catch if logged vectors do not contain only atomic types.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.0-beta-47 | 2011-11-16 08:24:33 -0800
 
-  * Catch if logged sets do not contain only atomic types. (Bernhard
+  * Catch if logged sets do not contain only atomic types. (Johanna
     Amann)
 
   * Promote libz and libmagic to required dependencies. (Jon Siwek)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b96923aa56..374af64a18 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -88,7 +88,7 @@ endif ()
 
 include_directories(BEFORE
                     ${PCAP_INCLUDE_DIR}
-                    ${OpenSSL_INCLUDE_DIR}
+                    ${OPENSSL_INCLUDE_DIR}
                     ${BIND_INCLUDE_DIR}
                     ${BinPAC_INCLUDE_DIR}
                     ${ZLIB_INCLUDE_DIR}
@@ -141,7 +141,7 @@ endif ()
 set(brodeps
     ${BinPAC_LIBRARY}
     ${PCAP_LIBRARY}
-    ${OpenSSL_LIBRARIES}
+    ${OPENSSL_LIBRARIES}
     ${BIND_LIBRARY}
     ${ZLIB_LIBRARY}
     ${JEMALLOC_LIBRARIES}
diff --git a/NEWS b/NEWS
index e8c0268644..4aa7fa8330 100644
--- a/NEWS
+++ b/NEWS
@@ -23,11 +23,30 @@ New Dependencies
 New Functionality
 -----------------
 
+- Bro now includes the NetControl framework. The framework allows for easy
+  interaction of Bro with hard- and software switches, firewalls, etc.
+
+- There is a new file entropy analyzer for files.
+
+- Bro now supports the remote framebuffer protocol (RFB) that is used by
+  VNC servers for remote graphical displays.
+
 - Bro now supports the Radiotap header for 802.11 frames.
 
+- Bro now has rudimentary IMAP and XMPP analyzers examinig the initial
+  phases of the protocol. Right now these analyzer only identify
+  STARTTLS sessions, handing them over to TLS analysis. The analyzer
+  does not yet analyze any further IMAP/XMPP content.
+
 - Bro now tracks VLAN IDs. To record them inside the connection log,
   load protocols/conn/vlan-logging.bro.
 
+- The new misc/stats.bro records Bro executions statistics in a
+  standard Bro log file.
+
+- A new dns_CAA_reply event gives access to DNS Certification Authority
+  Authorization replies.
+
 - A new per-packet event raw_packet() provides access to layer 2
   information. Use with care, generating events per packet is
   expensive.
@@ -37,12 +56,51 @@ New Functionality
   argument that will be used for decoding errors into weird.log
   (instead of reporter.log).
 
+- A new get_current_packet_header bif returns the headers of the current
+  packet.
+
+- Two new built-in functions for handling set[subnet] and table[subnet]:
+
+  - check_subnet(subnet, table) checks if a specific subnet is a member
+    of a set/table. This is different from the "in" operator, which always
+    performs a longest prefix match.
+
+  - matching_subnets(subnet, table) returns all subnets of the set or table
+    that contain the given subnet.
+
+  - filter_subnet_table(subnet, table) works like check_subnet, but returns
+    a table containing all matching entries.
+
+- Several built-in functions for handling IP addresses and subnets were added:
+
+  - is_v4_subnet(subnet) checks whether a subnet specification is IPv4.
+
+  - is_v6_subnet(subnet) checks whether a subnet specification is IPv6.
+
+  - addr_to_subnet(addr) converts an IP address to a /32 subnet.
+
+  - subnet_to_addr(subnet) returns the IP address part of a subnet.
+
+  - subnet_width(subnet) returns the width of a subnet.
+
 - The IRC analyzer now recognizes StartTLS sessions and enable the SSL
   analyzer for them.
 
+- A set of new built-in function for gathering execution statistics:
+
+      get_net_stats(), get_conn_stats(), get_proc_stats(),
+      get_event_stats(), get_reassembler_stats(), get_dns_stats(),
+      get_timer_stats(), get_file_analysis_stats(), get_thread_stats(),
+      get_gap_stats(), get_matcher_stats(),
+
+- Two new functions haversine_distance() and haversine_distance_ip()
+  for calculating geographic distances. They requires that Bro be
+  built with libgeoip.
+
 - New Bro plugins in aux/plugins:
 
     - af_packet: Native AF_PACKET support.
+    - kafka : Log writer interfacing to Kafka.
     - myricom: Native Myricom SNF v3 support.
     - pf_ring: Native PF_RING support.
     - redis: An experimental log writer for Redis.
@@ -51,6 +109,16 @@ New Functionality
 Changed Functionality
 ---------------------
 
+- The BrokerComm and BrokerStore namespaces were renamed to Broker.
+  The Broker "print" function was renamed to Broker::send_print, and
+  "event" to "Broker::send_event".
+
+- ``SSH::skip_processing_after_detection`` was removed. The functionality was
+  replaced by ``SSH::disable_analyzer_after_detection``.
+
+- ``net_stats()`` and ``resource_usage()`` have been superseded by the
+  new execution statistics functions (see above).
+
 - Some script-level identifier have changed their names:
 
       snaplen                  -> Pcap::snaplen
diff --git a/VERSION b/VERSION
index 943e3a2081..ac2ea9d11f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.4-253
+2.4-613
diff --git a/aux/binpac b/aux/binpac
index 2edf0a5885..97df41aa79 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 2edf0a58854ca5bdb444e74ec8cbac0fafbd42f4
+Subproject commit 97df41aa79344faadaf075f7fa673b87ecbc6f77
diff --git a/aux/bro-aux b/aux/bro-aux
index f5da34fb4f..4ba16fa2fc 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit f5da34fb4fbe00a683697e9052cffdd7d804f8c1
+Subproject commit 4ba16fa2fcd59d90ea497965f77655d2111bc9e8
diff --git a/aux/broccoli b/aux/broccoli
index 0880251535..2592077f96 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 0880251535df5a3a16feb2b25c26a04aa52585f1
+Subproject commit 2592077f96008f5c64b23b6fd605bfce3ec47d84
diff --git a/aux/broctl b/aux/broctl
index 5d765dd9d9..214682a9d4 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 5d765dd9d94eb25b31d1ecf8df6561fc714694fc
+Subproject commit 214682a9d4b238dc55d7ecfa7c127c3aaad750d4
diff --git a/aux/broker b/aux/broker
index 5c90543dee..a4f81f79cf 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 5c90543dee9212121d08e6aa630fb81dd5133df7
+Subproject commit a4f81f79cfc0d0fe3fe435d33217f5bf9c2279e1
diff --git a/aux/btest b/aux/btest
index 71a1e3efc4..4bea8fa948 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 71a1e3efc437aa9f981be71affa1c4615e8d98a5
+Subproject commit 4bea8fa948be2bc86ff92399137131bc1c029b08
diff --git a/aux/plugins b/aux/plugins
index 1021ca5f24..ebab672fa4 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit 1021ca5f248b9da01766e94d840896e029fb0e6e
+Subproject commit ebab672fa404b26944a6df6fbfb1aaab95ec5d48
diff --git a/bro-config.h.in b/bro-config.h.in
index 755a9eee98..290dd31cae 100644
--- a/bro-config.h.in
+++ b/bro-config.h.in
@@ -14,12 +14,18 @@
 /* We are on a Linux system */
 #cmakedefine HAVE_LINUX
 
+/* We are on a Mac OS X (Darwin) system */
+#cmakedefine HAVE_DARWIN
+
 /* Define if you have the `mallinfo' function. */
 #cmakedefine HAVE_MALLINFO
 
 /* Define if you have the <memory.h> header file. */
 #cmakedefine HAVE_MEMORY_H
 
+/* Define if you have the <netinet/ether.h> header file */
+#cmakedefine HAVE_NETINET_ETHER_H
+
 /* Define if you have the <netinet/if_ether.h> header file. */
 #cmakedefine HAVE_NETINET_IF_ETHER_H
 
diff --git a/cmake b/cmake
index 23773d7107..b8b4604f36 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 23773d7107e8d51e2b1bb0fd2e2d85fda50df743
+Subproject commit b8b4604f362aa8d4b64e589cbea499a0c041ef24
diff --git a/configure b/configure
index f94085f9d3..1df97334c9 100755
--- a/configure
+++ b/configure
@@ -57,7 +57,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --with-flex=PATH       path to flex executable
     --with-bison=PATH      path to bison executable
     --with-python=PATH     path to Python executable
-    --with-libcaf=PATH     path to C++ Actor Framework installation
+    --with-caf=PATH        path to C++ Actor Framework installation
                            (a required Broker dependency)
 
   Optional Packages in Non-Standard Locations:
@@ -226,7 +226,7 @@ while [ $# -ne 0 ]; do
             append_cache_entry DISABLE_RUBY_BINDINGS     BOOL   false
             ;;
         --with-openssl=*)
-            append_cache_entry OpenSSL_ROOT_DIR PATH $optarg
+            append_cache_entry OPENSSL_ROOT_DIR PATH $optarg
             ;;
         --with-bind=*)
             append_cache_entry BIND_ROOT_DIR PATH $optarg
@@ -276,8 +276,12 @@ while [ $# -ne 0 ]; do
         --with-swig=*)
             append_cache_entry SWIG_EXECUTABLE      PATH    $optarg
             ;;
+        --with-caf=*)
+            append_cache_entry CAF_ROOT_DIR      PATH   $optarg
+            ;;
         --with-libcaf=*)
-            append_cache_entry LIBCAF_ROOT_DIR      PATH   $optarg
+            echo "warning: --with-libcaf deprecated, use --with-caf instead"
+            append_cache_entry CAF_ROOT_DIR      PATH   $optarg
             ;;
         --with-rocksdb=*)
             append_cache_entry ROCKSDB_ROOT_DIR     PATH   $optarg
diff --git a/doc/cluster/index.rst b/doc/cluster/index.rst
index 544ca5e0f8..6e426c005e 100644
--- a/doc/cluster/index.rst
+++ b/doc/cluster/index.rst
@@ -96,13 +96,13 @@ logging is done remotely to the manager, and normally very little is written
 to disk.
 
 The rule of thumb we have followed recently is to allocate approximately 1
-core for every 80Mbps of traffic that is being analyzed. However, this
+core for every 250Mbps of traffic that is being analyzed. However, this
 estimate could be extremely traffic mix-specific.  It has generally worked
 for mixed traffic with many users and servers.  For example, if your traffic
 peaks around 2Gbps (combined) and you want to handle traffic at peak load,
-you may want to have 26 cores available (2048 / 80 == 25.6).  If the 80Mbps
-estimate works for your traffic, this could be handled by 3 physical hosts
-dedicated to being workers with each one containing dual 6-core processors.
+you may want to have 8 cores available (2048 / 250 == 8.2).  If the 250Mbps
+estimate works for your traffic, this could be handled by 2 physical hosts
+dedicated to being workers with each one containing a quad-core processor.
 
 Once a flow-based load balancer is put into place this model is extremely
 easy to scale. It is recommended that you estimate the amount of
diff --git a/doc/components/bro-plugins/kafka/README.rst b/doc/components/bro-plugins/kafka/README.rst
new file mode 120000
index 0000000000..6ca2195f17
--- /dev/null
+++ b/doc/components/bro-plugins/kafka/README.rst
@@ -0,0 +1 @@
+../../../../aux/plugins/kafka/README
\ No newline at end of file
diff --git a/doc/conf.py.in b/doc/conf.py.in
index 4faebed3b8..ef9367483a 100644
--- a/doc/conf.py.in
+++ b/doc/conf.py.in
@@ -66,7 +66,7 @@ master_doc = 'index'
 
 # General information about the project.
 project = u'Bro'
-copyright = u'2013, The Bro Project'
+copyright = u'2016, The Bro Project'
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst
index 8c5ed24e25..9c9ed89514 100644
--- a/doc/frameworks/broker.rst
+++ b/doc/frameworks/broker.rst
@@ -17,20 +17,20 @@ Connecting to Peers
 ===================
 
 Communication via Broker must first be turned on via
-:bro:see:`BrokerComm::enable`.
+:bro:see:`Broker::enable`.
 
-Bro can accept incoming connections by calling :bro:see:`BrokerComm::listen`
+Bro can accept incoming connections by calling :bro:see:`Broker::listen`
 and then monitor connection status updates via the
-:bro:see:`BrokerComm::incoming_connection_established` and
-:bro:see:`BrokerComm::incoming_connection_broken` events.
+:bro:see:`Broker::incoming_connection_established` and
+:bro:see:`Broker::incoming_connection_broken` events.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-listener.bro
 
-Bro can initiate outgoing connections by calling :bro:see:`BrokerComm::connect`
+Bro can initiate outgoing connections by calling :bro:see:`Broker::connect`
 and then monitor connection status updates via the
-:bro:see:`BrokerComm::outgoing_connection_established`,
-:bro:see:`BrokerComm::outgoing_connection_broken`, and
-:bro:see:`BrokerComm::outgoing_connection_incompatible` events.
+:bro:see:`Broker::outgoing_connection_established`,
+:bro:see:`Broker::outgoing_connection_broken`, and
+:bro:see:`Broker::outgoing_connection_incompatible` events.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-connector.bro
 
@@ -38,14 +38,14 @@ Remote Printing
 ===============
 
 To receive remote print messages, first use the
-:bro:see:`BrokerComm::subscribe_to_prints` function to advertise to peers a
+:bro:see:`Broker::subscribe_to_prints` function to advertise to peers a
 topic prefix of interest and then create an event handler for
-:bro:see:`BrokerComm::print_handler` to handle any print messages that are
+:bro:see:`Broker::print_handler` to handle any print messages that are
 received.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/printing-listener.bro
 
-To send remote print messages, just call :bro:see:`BrokerComm::print`.
+To send remote print messages, just call :bro:see:`Broker::send_print`.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/printing-connector.bro
 
@@ -69,14 +69,14 @@ Remote Events
 =============
 
 Receiving remote events is similar to remote prints.  Just use the
-:bro:see:`BrokerComm::subscribe_to_events` function and possibly define any
+:bro:see:`Broker::subscribe_to_events` function and possibly define any
 new events along with handlers that peers may want to send.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/events-listener.bro
 
 There are two different ways to send events.  The first is to call the
-:bro:see:`BrokerComm::event` function directly.  The second option is to call
-the :bro:see:`BrokerComm::auto_event` function where you specify a
+:bro:see:`Broker::send_event` function directly.  The second option is to call
+the :bro:see:`Broker::auto_event` function where you specify a
 particular event that will be automatically sent to peers whenever the
 event is called locally via the normal event invocation syntax.
 
@@ -104,14 +104,14 @@ Remote Logging
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/testlog.bro
 
-Use the :bro:see:`BrokerComm::subscribe_to_logs` function to advertise interest
+Use the :bro:see:`Broker::subscribe_to_logs` function to advertise interest
 in logs written by peers.  The topic names that Bro uses are implicitly of the
 form "bro/log/<stream-name>".
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-listener.bro
 
 To send remote logs either redef :bro:see:`Log::enable_remote_logging` or
-use the :bro:see:`BrokerComm::enable_remote_logs` function.  The former
+use the :bro:see:`Broker::enable_remote_logs` function.  The former
 allows any log stream to be sent to peers while the latter enables remote
 logging for particular streams.
 
@@ -137,24 +137,24 @@ Tuning Access Control
 By default, endpoints do not restrict the message topics that it sends
 to peers and do not restrict what message topics and data store
 identifiers get advertised to peers.  These are the default
-:bro:see:`BrokerComm::EndpointFlags` supplied to :bro:see:`BrokerComm::enable`.
+:bro:see:`Broker::EndpointFlags` supplied to :bro:see:`Broker::enable`.
 
 If not using the ``auto_publish`` flag, one can use the
-:bro:see:`BrokerComm::publish_topic` and :bro:see:`BrokerComm::unpublish_topic`
+:bro:see:`Broker::publish_topic` and :bro:see:`Broker::unpublish_topic`
 functions to manipulate the set of message topics (must match exactly)
 that are allowed to be sent to peer endpoints.  These settings take
 precedence over the per-message ``peers`` flag supplied to functions
-that take a :bro:see:`BrokerComm::SendFlags` such as :bro:see:`BrokerComm::print`,
-:bro:see:`BrokerComm::event`, :bro:see:`BrokerComm::auto_event` or
-:bro:see:`BrokerComm::enable_remote_logs`.
+that take a :bro:see:`Broker::SendFlags` such as :bro:see:`Broker::send_print`,
+:bro:see:`Broker::send_event`, :bro:see:`Broker::auto_event` or
+:bro:see:`Broker::enable_remote_logs`.
 
 If not using the ``auto_advertise`` flag, one can use the
-:bro:see:`BrokerComm::advertise_topic` and
-:bro:see:`BrokerComm::unadvertise_topic` functions
+:bro:see:`Broker::advertise_topic` and
+:bro:see:`Broker::unadvertise_topic` functions
 to manipulate the set of topic prefixes that are allowed to be
 advertised to peers.  If an endpoint does not advertise a topic prefix, then
 the only way peers can send messages to it is via the ``unsolicited``
-flag of :bro:see:`BrokerComm::SendFlags` and choosing a topic with a matching
+flag of :bro:see:`Broker::SendFlags` and choosing a topic with a matching
 prefix (i.e. full topic may be longer than receivers prefix, just the
 prefix needs to match).
 
@@ -192,8 +192,8 @@ last modification time.
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-connector.bro
 
 In the above example, if a local copy of the store contents isn't
-needed, just replace the :bro:see:`BrokerStore::create_clone` call with
-:bro:see:`BrokerStore::create_frontend`.  Queries will then be made against
+needed, just replace the :bro:see:`Broker::create_clone` call with
+:bro:see:`Broker::create_frontend`.  Queries will then be made against
 the remote master store instead of the local clone.
 
 Note that all data store queries must be made within Bro's asynchronous
diff --git a/doc/frameworks/broker/connecting-connector.bro b/doc/frameworks/broker/connecting-connector.bro
index cd5c74add8..adf901ea6a 100644
--- a/doc/frameworks/broker/connecting-connector.bro
+++ b/doc/frameworks/broker/connecting-connector.bro
@@ -1,18 +1,18 @@
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
+	print "Broker::outgoing_connection_established",
 		  peer_address, peer_port, peer_name;
 	terminate();
 	}
diff --git a/doc/frameworks/broker/connecting-listener.bro b/doc/frameworks/broker/connecting-listener.bro
index 21c67f9696..aa2b945dbe 100644
--- a/doc/frameworks/broker/connecting-listener.bro
+++ b/doc/frameworks/broker/connecting-listener.bro
@@ -1,20 +1,20 @@
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
-event BrokerComm::incoming_connection_broken(peer_name: string)
+event Broker::incoming_connection_broken(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_broken", peer_name;
+	print "Broker::incoming_connection_broken", peer_name;
 	terminate();
 	}
diff --git a/doc/frameworks/broker/events-connector.bro b/doc/frameworks/broker/events-connector.bro
index 1ad458c245..437e197925 100644
--- a/doc/frameworks/broker/events-connector.bro
+++ b/doc/frameworks/broker/events-connector.bro
@@ -1,30 +1,30 @@
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
-	BrokerComm::auto_event("bro/event/my_auto_event", my_auto_event);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::auto_event("bro/event/my_auto_event", my_auto_event);
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
+	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "hi", 0));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
 	event my_auto_event("stuff", 88);
-	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "...", 1));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
 	event my_auto_event("more stuff", 51);
-	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "bye", 2));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/doc/frameworks/broker/events-listener.bro b/doc/frameworks/broker/events-listener.bro
index dc18795903..b803e646ec 100644
--- a/doc/frameworks/broker/events-listener.bro
+++ b/doc/frameworks/broker/events-listener.bro
@@ -1,20 +1,20 @@
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 global msg_count = 0;
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_events("bro/event/");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
 event my_event(msg: string, c: count)
diff --git a/doc/frameworks/broker/logs-connector.bro b/doc/frameworks/broker/logs-connector.bro
index 6089419cab..9c5df335b9 100644
--- a/doc/frameworks/broker/logs-connector.bro
+++ b/doc/frameworks/broker/logs-connector.bro
@@ -2,16 +2,16 @@
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 redef Log::enable_local_logging = F;
 redef Log::enable_remote_logging = F;
 global n = 0;
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::enable_remote_logs(Test::LOG);
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	Broker::enable();
+	Broker::enable_remote_logs(Test::LOG);
+	Broker::connect("127.0.0.1", broker_port, 1sec);
 	}
 
 event do_write()
@@ -24,16 +24,16 @@ event do_write()
 	event do_write();
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
+	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
 	event do_write();
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/doc/frameworks/broker/logs-listener.bro b/doc/frameworks/broker/logs-listener.bro
index 5c807f08b7..34d475512a 100644
--- a/doc/frameworks/broker/logs-listener.bro
+++ b/doc/frameworks/broker/logs-listener.bro
@@ -2,18 +2,18 @@
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_logs("bro/log/Test::LOG");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_logs("bro/log/Test::LOG");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
 event Test::log_test(rec: Test::Info)
diff --git a/doc/frameworks/broker/printing-connector.bro b/doc/frameworks/broker/printing-connector.bro
index 2a504ffba0..42d961669a 100644
--- a/doc/frameworks/broker/printing-connector.bro
+++ b/doc/frameworks/broker/printing-connector.bro
@@ -1,25 +1,25 @@
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
+	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	BrokerComm::print("bro/print/hi", "hello");
-	BrokerComm::print("bro/print/stuff", "...");
-	BrokerComm::print("bro/print/bye", "goodbye");
+	Broker::send_print("bro/print/hi", "hello");
+	Broker::send_print("bro/print/stuff", "...");
+	Broker::send_print("bro/print/bye", "goodbye");
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/doc/frameworks/broker/printing-listener.bro b/doc/frameworks/broker/printing-listener.bro
index f55c5b9bad..4630a7e6d7 100644
--- a/doc/frameworks/broker/printing-listener.bro
+++ b/doc/frameworks/broker/printing-listener.bro
@@ -1,21 +1,21 @@
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 global msg_count = 0;
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_prints("bro/print/");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_prints("bro/print/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
-event BrokerComm::print_handler(msg: string)
+event Broker::print_handler(msg: string)
 	{
 	++msg_count;
 	print "got print message", msg;
diff --git a/doc/frameworks/broker/stores-connector.bro b/doc/frameworks/broker/stores-connector.bro
index 5db8657a68..d50807cc89 100644
--- a/doc/frameworks/broker/stores-connector.bro
+++ b/doc/frameworks/broker/stores-connector.bro
@@ -1,42 +1,42 @@
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of BrokerStore::Handle;
+global h: opaque of Broker::Handle;
 
-function dv(d: BrokerComm::Data): BrokerComm::DataVector
+function dv(d: Broker::Data): Broker::DataVector
 	{
-	local rval: BrokerComm::DataVector;
+	local rval: Broker::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 
 global ready: event();
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = BrokerStore::create_master("mystore");
-	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
-	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
-	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
-	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
-	BrokerStore::increment(h, BrokerComm::data("one"));
-	BrokerStore::decrement(h, BrokerComm::data("two"));
-	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
-	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
-	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
-	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
+	h = Broker::create_master("mystore");
+	Broker::insert(h, Broker::data("one"), Broker::data(110));
+	Broker::insert(h, Broker::data("two"), Broker::data(223));
+	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
+	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
+	Broker::increment(h, Broker::data("one"));
+	Broker::decrement(h, Broker::data("two"));
+	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
+	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
+	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
+	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
 
-	when ( local res = BrokerStore::size(h) )
+	when ( local res = Broker::size(h) )
 		{
 		print "master size", res;
 		event ready();
@@ -47,7 +47,7 @@ event BrokerComm::outgoing_connection_established(peer_address: string,
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
-	BrokerComm::auto_event("bro/event/ready", ready);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1secs);
+	Broker::auto_event("bro/event/ready", ready);
 	}
diff --git a/doc/frameworks/broker/stores-listener.bro b/doc/frameworks/broker/stores-listener.bro
index 454e41a8c2..3dac30deca 100644
--- a/doc/frameworks/broker/stores-listener.bro
+++ b/doc/frameworks/broker/stores-listener.bro
@@ -1,13 +1,13 @@
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of BrokerStore::Handle;
+global h: opaque of Broker::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 
 function do_lookup(key: string)
 	{
-	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
+	when ( local res = Broker::lookup(h, Broker::data(key)) )
 		{
 		++key_count;
 		print "lookup", key, res;
@@ -21,15 +21,15 @@ function do_lookup(key: string)
 
 event ready()
 	{
-	h = BrokerStore::create_clone("mystore");
+	h = Broker::create_clone("mystore");
 
-	when ( local res = BrokerStore::keys(h) )
+	when ( local res = Broker::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
 		}
 	timeout 10sec
 		{ print "timeout"; }
@@ -37,7 +37,7 @@ event ready()
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_events("bro/event/ready");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/ready");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
diff --git a/doc/frameworks/broker/testlog.bro b/doc/frameworks/broker/testlog.bro
index 506d359bb7..0099671e6d 100644
--- a/doc/frameworks/broker/testlog.bro
+++ b/doc/frameworks/broker/testlog.bro
@@ -13,6 +13,6 @@ export {
 
 event bro_init() &priority=5
 	{
-	BrokerComm::enable();
+	Broker::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]);
 	}
diff --git a/doc/frameworks/notice.rst b/doc/frameworks/notice.rst
index eacf9c917f..e37740dee1 100644
--- a/doc/frameworks/notice.rst
+++ b/doc/frameworks/notice.rst
@@ -83,9 +83,9 @@ The hook :bro:see:`Notice::policy` provides the mechanism for applying
 actions and generally modifying the notice before it's sent onward to
 the action plugins.  Hooks can be thought of as multi-bodied functions
 and using them looks very similar to handling events.  The difference
-is that they don't go through the event queue like events.  Users should
-directly make modifications to the :bro:see:`Notice::Info` record
-given as the argument to the hook.
+is that they don't go through the event queue like events.  Users can
+alter notice processing by directly modifying fields in the
+:bro:see:`Notice::Info` record given as the argument to the hook.
 
 Here's a simple example which tells Bro to send an email for all notices of
 type :bro:see:`SSH::Password_Guessing` if the guesser attempted to log in to
diff --git a/doc/install/install.rst b/doc/install/install.rst
index a9f1c85bdd..60c7cf27d1 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -75,6 +75,21 @@ To install the required dependencies, you can use:
   Note that in older versions of FreeBSD, you might have to use the
   "pkg_add -r" command instead of "pkg install".
 
+  For older versions of FreeBSD (especially FreeBSD 9.x), the system compiler
+  is not new enough to compile Bro. For these systems, you will have to install
+  a newer compiler using pkg; the ``clang34`` package should work.
+
+  You will also have to define several environment variables on these older
+  systems to use the new compiler and headers similar to this before calling
+  configure:
+
+  .. console::
+
+     export CC=clang34
+     export CXX=clang++34
+     export CXXFLAGS="-stdlib=libc++ -I${LOCALBASE}/include/c++/v1 -L${LOCALBASE}/lib"
+     export LDFLAGS="-pthread"
+
 * Mac OS X:
 
   Compiling source code on Macs requires first installing Xcode_ (in older
diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst
index c3fbca95a0..3c1720afd1 100644
--- a/doc/script-reference/log-files.rst
+++ b/doc/script-reference/log-files.rst
@@ -39,6 +39,8 @@ Network Protocols
 +----------------------------+---------------------------------------+---------------------------------+
 | rdp.log                    | RDP                                   | :bro:type:`RDP::Info`           |
 +----------------------------+---------------------------------------+---------------------------------+
+| rfb.log                    | Remote Framebuffer (RFB)              | :bro:type:`RFB::Info`           |
++----------------------------+---------------------------------------+---------------------------------+
 | sip.log                    | SIP                                   | :bro:type:`SIP::Info`           |
 +----------------------------+---------------------------------------+---------------------------------+
 | smtp.log                   | SMTP transactions                     | :bro:type:`SMTP::Info`          |
diff --git a/doc/script-reference/statements.rst b/doc/script-reference/statements.rst
index e2f93a5627..14e0cc3c32 100644
--- a/doc/script-reference/statements.rst
+++ b/doc/script-reference/statements.rst
@@ -277,16 +277,25 @@ Here are the statements that the Bro scripting language supports.
 .. bro:keyword:: delete
 
     The "delete" statement is used to remove an element from a
-    :bro:type:`set` or :bro:type:`table`.  Nothing happens if the
-    specified element does not exist in the set or table.
+    :bro:type:`set` or :bro:type:`table`, or to remove a value from
+    a :bro:type:`record` field that has the :bro:attr:`&optional` attribute.
+    When attempting to remove an element from a set or table,
+    nothing happens if the specified index does not exist.
+    When attempting to remove a value from an "&optional" record field,
+    nothing happens if that field doesn't have a value.
 
     Example::
 
         local myset = set("this", "test");
         local mytable = table(["key1"] = 80/tcp, ["key2"] = 53/udp);
+        local myrec = MyRecordType($a = 1, $b = 2);
+
         delete myset["test"];
         delete mytable["key1"];
 
+        # In this example, "b" must have the "&optional" attribute
+        delete myrec$b;
+
 .. bro:keyword:: event
 
     The "event" statement immediately queues invocation of an event handler.
@@ -306,30 +315,33 @@ Here are the statements that the Bro scripting language supports.
 .. bro:keyword:: for
 
     A "for" loop iterates over each element in a string, set, vector, or
-    table and executes a statement for each iteration.  Currently,
-    modifying a container's membership while iterating over it may
-    result in undefined behavior, so avoid adding or removing elements
-    inside the loop.
+    table and executes a statement for each iteration (note that the order
+    in which the loop iterates over the elements in a set or a table is
+    nondeterministic).  However, no loop iterations occur if the string,
+    set, vector, or table is empty.
 
     For each iteration of the loop, a loop variable will be assigned to an
     element if the expression evaluates to a string or set, or an index if
     the expression evaluates to a vector or table.  Then the statement
-    is executed.  However, the statement will not be executed if the expression
-    evaluates to an object with no elements.
+    is executed.
 
     If the expression is a table or a set with more than one index, then the
     loop variable must be specified as a comma-separated list of different
     loop variables (one for each index), enclosed in brackets.
 
-    A :bro:keyword:`break` statement can be used at any time to immediately
-    terminate the "for" loop, and a :bro:keyword:`next` statement can be
-    used to skip to the next loop iteration.
-
     Note that the loop variable in a "for" statement is not allowed to be
     a global variable, and it does not need to be declared prior to the "for"
     statement.  The type will be inferred from the elements of the
     expression.
 
+    Currently, modifying a container's membership while iterating over it may
+    result in undefined behavior, so do not add or remove elements
+    inside the loop.
+
+    A :bro:keyword:`break` statement will immediately terminate the "for"
+    loop, and a :bro:keyword:`next` statement will skip to the next loop
+    iteration.
+
     Example::
 
         local myset = set(80/tcp, 81/tcp);
@@ -532,8 +544,6 @@ Here are the statements that the Bro scripting language supports.
     end with either a :bro:keyword:`break`, :bro:keyword:`fallthrough`, or
     :bro:keyword:`return` statement (although "return" is allowed only
     if the "switch" statement is inside a function, hook, or event handler).
-    If a "case" (or "default") block contain more than one statement, then
-    there is no need to wrap them in braces.
 
     Note that the braces in a "switch" statement are always required (these
     do not indicate the presence of a `compound statement`_), and that no
@@ -604,12 +614,9 @@ Here are the statements that the Bro scripting language supports.
             if ( skip_ahead() )
                 next;
 
-            [...]
-
             if ( finish_up )
                 break;
 
-            [...]
             }
 
 .. _compound statement:
diff --git a/doc/scripting/data_type_record.bro b/doc/scripting/data_type_record.bro
new file mode 100644
index 0000000000..2380137cac
--- /dev/null
+++ b/doc/scripting/data_type_record.bro
@@ -0,0 +1,25 @@
+module Conn;
+
+export {
+	## The record type which contains column fields of the connection log.
+	type Info: record {
+		ts:           time            &log;
+		uid:          string          &log;
+		id:           conn_id         &log;
+		proto:        transport_proto &log;
+		service:      string          &log &optional;
+		duration:     interval        &log &optional;
+		orig_bytes:   count           &log &optional;
+		resp_bytes:   count           &log &optional;
+		conn_state:   string          &log &optional;
+		local_orig:   bool            &log &optional;
+		local_resp:   bool            &log &optional;
+		missed_bytes: count           &log &default=0;
+		history:      string          &log &optional;
+		orig_pkts:     count      &log &optional;
+		orig_ip_bytes: count      &log &optional;
+		resp_pkts:     count      &log &optional;
+		resp_ip_bytes: count      &log &optional;
+		tunnel_parents: set[string] &log;
+	};
+}
diff --git a/doc/scripting/http_main.bro b/doc/scripting/http_main.bro
new file mode 100644
index 0000000000..5182accb35
--- /dev/null
+++ b/doc/scripting/http_main.bro
@@ -0,0 +1,7 @@
+module HTTP;
+
+export {
+	## This setting changes if passwords used in Basic-Auth are captured or
+	## not.
+	const default_capture_password = F &redef;
+}
diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index 2b5cfbb49c..597d8ec41a 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -362,8 +362,7 @@ decrypted from HTTP streams is stored in
 :bro:see:`HTTP::default_capture_password` as shown in the stripped down
 excerpt from :doc:`/scripts/base/protocols/http/main.bro` below.
 
-.. btest-include:: ${BRO_SRC_ROOT}/scripts/base/protocols/http/main.bro
-   :lines: 9-11,20-22,125
+.. btest-include:: ${DOC_ROOT}/scripting/http_main.bro
 
 Because the constant was declared with the ``&redef`` attribute, if we
 needed to turn this option on globally, we could do so by adding the
@@ -776,7 +775,7 @@ string against which it will be tested to be on the right.
 In the sample above, two local variables are declared to hold our
 sample sentence and regular expression.  Our regular expression in
 this case will return true if the string contains either the word
-``quick`` or the word ``fox``. The ``if`` statement in the script uses
+``quick`` or the word ``lazy``. The ``if`` statement in the script uses
 embedded matching and the ``in`` operator to check for the existence
 of the pattern within the string.  If the statement resolves to true,
 :bro:id:`split` is called to break the string into separate pieces.
@@ -825,8 +824,7 @@ example of the ``record`` data type in the earlier sections, the
 :bro:type:`Conn::Info`, which corresponds to the fields logged into
 ``conn.log``, is shown by the excerpt below.
 
-.. btest-include:: ${BRO_SRC_ROOT}/scripts/base/protocols/conn/main.bro
-   :lines: 10-12,16-17,19,21,23,25,28,31,35,38,57,63,69,75,98,101,105,108,112,116-117,122
+.. btest-include:: ${DOC_ROOT}/scripting/data_type_record.bro
 
 Looking at the structure of the definition, a new collection of data
 types is being defined as a type called ``Info``.  Since this type
diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index c097b84560..bbf99f6a4d 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -6,6 +6,7 @@ module X509;
 export {
 	redef enum Log::ID += { LOG };
 
+	## The record type which contains the fields of the X.509 log.
 	type Info: record {
 		## Current timestamp.
 		ts: time &log;
diff --git a/scripts/base/frameworks/broker/__load__.bro b/scripts/base/frameworks/broker/__load__.bro
index a10fe855df..018d772f4f 100644
--- a/scripts/base/frameworks/broker/__load__.bro
+++ b/scripts/base/frameworks/broker/__load__.bro
@@ -1 +1,2 @@
 @load ./main
+@load ./store
diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index e8b57d57d9..0818855d8f 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -1,11 +1,20 @@
 ##! Various data structure definitions for use with Bro's communication system.
 
-module BrokerComm;
+module Log;
+
+export {
+    type Log::ID: enum {
+        ## Dummy place-holder.
+        UNKNOWN
+    };
+}
+
+module Broker;
 
 export {
 
 	## A name used to identify this endpoint to peers.
-	## .. bro:see:: BrokerComm::connect BrokerComm::listen
+	## .. bro:see:: Broker::connect Broker::listen
 	const endpoint_name = "" &redef;
 
 	## Change communication behavior.
@@ -32,11 +41,11 @@ export {
 
 	## Opaque communication data.
 	type Data: record {
-		d: opaque of BrokerComm::Data &optional;
+		d: opaque of Broker::Data &optional;
 	};
 
 	## Opaque communication data.
-	type DataVector: vector of BrokerComm::Data;
+	type DataVector: vector of Broker::Data;
 
 	## Opaque event communication data.
 	type EventArgs: record {
@@ -49,55 +58,318 @@ export {
 	## Opaque communication data used as a convenient way to wrap key-value
 	## pairs that comprise table entries.
 	type TableItem : record {
-		key: BrokerComm::Data;
-		val: BrokerComm::Data;
+		key: Broker::Data;
+		val: Broker::Data;
 	};
+
+	## Enable use of communication.
+	##
+	## flags: used to tune the local Broker endpoint behavior.
+	##
+	## Returns: true if communication is successfully initialized.
+	global enable: function(flags: EndpointFlags &default = EndpointFlags()): bool;
+
+	## Changes endpoint flags originally supplied to :bro:see:`Broker::enable`.
+	##
+	## flags: the new endpoint behavior flags to use.
+	##
+	## Returns: true if flags were changed.
+	global set_endpoint_flags: function(flags: EndpointFlags &default = EndpointFlags()): bool;
+
+	## Allow sending messages to peers if associated with the given topic.
+	## This has no effect if auto publication behavior is enabled via the flags
+	## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
+	##
+	## topic: a topic to allow messages to be published under.
+	##
+	## Returns: true if successful.
+	global publish_topic: function(topic: string): bool;
+
+	## Disallow sending messages to peers if associated with the given topic.
+	## This has no effect if auto publication behavior is enabled via the flags
+	## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
+	##
+	## topic: a topic to disallow messages to be published under.
+	##
+	## Returns: true if successful.
+	global unpublish_topic: function(topic: string): bool;
+
+	## Listen for remote connections.
+	##
+	## p: the TCP port to listen on.
+	##
+	## a: an address string on which to accept connections, e.g.
+	##    "127.0.0.1".  An empty string refers to @p INADDR_ANY.
+	##
+	## reuse: equivalent to behavior of SO_REUSEADDR.
+	##
+	## Returns: true if the local endpoint is now listening for connections.
+	##
+	## .. bro:see:: Broker::incoming_connection_established
+	global listen: function(p: port, a: string &default = "", reuse: bool &default = T): bool;
+
+	## Initiate a remote connection.
+	##
+	## a: an address to connect to, e.g. "localhost" or "127.0.0.1".
+	##
+	## p: the TCP port on which the remote side is listening.
+	##
+	## retry: an interval at which to retry establishing the
+	##        connection with the remote peer if it cannot be made initially, or
+	##        if it ever becomes disconnected.
+	##
+	## Returns: true if it's possible to try connecting with the peer and
+	##          it's a new peer.  The actual connection may not be established
+	##          until a later point in time.
+	##
+	## .. bro:see:: Broker::outgoing_connection_established
+	global connect: function(a: string, p: port, retry: interval): bool;
+
+	## Remove a remote connection.
+	##
+	## a: the address used in previous successful call to :bro:see:`Broker::connect`.
+	##
+	## p: the port used in previous successful call to :bro:see:`Broker::connect`.
+	##
+	## Returns: true if the arguments match a previously successful call to
+	##          :bro:see:`Broker::connect`.
+	global disconnect: function(a: string, p: port): bool;
+
+	## Print a simple message to any interested peers.  The receiver can use
+	## :bro:see:`Broker::print_handler` to handle messages.
+	##
+	## topic: a topic associated with the printed message.
+	##
+	## msg: the print message to send to peers.
+	##
+	## flags: tune the behavior of how the message is sent.
+	##
+	## Returns: true if the message is sent.
+	global send_print: function(topic: string, msg: string, flags: SendFlags &default = SendFlags()): bool;
+
+	## Register interest in all peer print messages that use a certain topic
+	## prefix. Use :bro:see:`Broker::print_handler` to handle received
+	## messages.
+	##
+	## topic_prefix: a prefix to match against remote message topics.
+	##               e.g. an empty prefix matches everything and "a" matches
+	##               "alice" and "amy" but not "bob".
+	##
+	## Returns: true if it's a new print subscription and it is now registered.
+	global subscribe_to_prints: function(topic_prefix: string): bool;
+
+	## Unregister interest in all peer print messages that use a topic prefix.
+	##
+	## topic_prefix: a prefix previously supplied to a successful call to
+	##               :bro:see:`Broker::subscribe_to_prints`.
+	##
+	## Returns: true if interest in the topic prefix is no longer advertised.
+	global unsubscribe_to_prints: function(topic_prefix: string): bool;
+
+	## Send an event to any interested peers.
+	##
+	## topic: a topic associated with the event message.
+	##
+	## args: event arguments as made by :bro:see:`Broker::event_args`.
+	##
+	## flags: tune the behavior of how the message is sent.
+	##
+	## Returns: true if the message is sent.
+	global send_event: function(topic: string, args: EventArgs, flags: SendFlags &default = SendFlags()): bool;
+
+	## Automatically send an event to any interested peers whenever it is
+	## locally dispatched (e.g. using "event my_event(...);" in a script).
+	##
+	## topic: a topic string associated with the event message.
+	##        Peers advertise interest by registering a subscription to some
+	##        prefix of this topic name.
+	##
+	## ev: a Bro event value.
+	##
+	## flags: tune the behavior of how the message is sent.
+	##
+	## Returns: true if automatic event sending is now enabled.
+	global auto_event: function(topic: string, ev: any, flags: SendFlags &default = SendFlags()): bool;
+
+	## Stop automatically sending an event to peers upon local dispatch.
+	##
+	## topic: a topic originally given to :bro:see:`Broker::auto_event`.
+	##
+	## ev: an event originally given to :bro:see:`Broker::auto_event`.
+	##
+	## Returns: true if automatic events will not occur for the topic/event
+	##          pair.
+	global auto_event_stop: function(topic: string, ev: any): bool;
+
+	## Register interest in all peer event messages that use a certain topic
+	## prefix.
+	##
+	## topic_prefix: a prefix to match against remote message topics.
+	##               e.g. an empty prefix matches everything and "a" matches
+	##               "alice" and "amy" but not "bob".
+	##
+	## Returns: true if it's a new event subscription and it is now registered.
+	global subscribe_to_events: function(topic_prefix: string): bool;
+
+	## Unregister interest in all peer event messages that use a topic prefix.
+	##
+	## topic_prefix: a prefix previously supplied to a successful call to
+	##               :bro:see:`Broker::subscribe_to_events`.
+	##
+	## Returns: true if interest in the topic prefix is no longer advertised.
+	global unsubscribe_to_events: function(topic_prefix: string): bool;
+
+	## Enable remote logs for a given log stream.
+	##
+	## id: the log stream to enable remote logs for.
+	##
+	## flags: tune the behavior of how log entry messages are sent.
+	##
+	## Returns: true if remote logs are enabled for the stream.
+	global enable_remote_logs: function(id: Log::ID, flags: SendFlags &default = SendFlags()): bool;
+
+	## Disable remote logs for a given log stream.
+	##
+	## id: the log stream to disable remote logs for.
+	##
+	## Returns: true if remote logs are disabled for the stream.
+	global disable_remote_logs: function(id: Log::ID): bool;
+
+	## Check if remote logs are enabled for a given log stream.
+	##
+	## id: the log stream to check.
+	##
+	## Returns: true if remote logs are enabled for the given stream.
+	global remote_logs_enabled: function(id: Log::ID): bool;
+
+	## Register interest in all peer log messages that use a certain topic
+	## prefix. Logs are implicitly sent with topic "bro/log/<stream-name>" and
+	## the receiving side processes them through the logging framework as usual.
+	##
+	## topic_prefix: a prefix to match against remote message topics.
+	##               e.g. an empty prefix matches everything and "a" matches
+	##               "alice" and "amy" but not "bob".
+	##
+	## Returns: true if it's a new log subscription and it is now registered.
+	global subscribe_to_logs: function(topic_prefix: string): bool;
+
+	## Unregister interest in all peer log messages that use a topic prefix.
+	## Logs are implicitly sent with topic "bro/log/<stream-name>" and the
+	## receiving side processes them through the logging framework as usual.
+	##
+	## topic_prefix: a prefix previously supplied to a successful call to
+	##               :bro:see:`Broker::subscribe_to_logs`.
+	##
+	## Returns: true if interest in the topic prefix is no longer advertised.
+	global unsubscribe_to_logs: function(topic_prefix: string): bool;
+
 }
 
-module BrokerStore;
+@load base/bif/comm.bif
+@load base/bif/messaging.bif
 
-export {
+module Broker;
 
-	## Whether a data store query could be completed or not.
-	type QueryStatus: enum {
-		SUCCESS,
-		FAILURE,
-	};
+@ifdef ( Broker::__enable )
 
-	## An expiry time for a key-value pair inserted in to a data store.
-	type ExpiryTime: record {
-		## Absolute point in time at which to expire the entry.
-		absolute: time &optional;
-		## A point in time relative to the last modification time at which
-		## to expire the entry.  New modifications will delay the expiration.
-		since_last_modification: interval &optional;
-	};
+function enable(flags: EndpointFlags &default = EndpointFlags()) : bool
+    {
+    return __enable(flags);
+    }
 
-	## The result of a data store query.
-	type QueryResult: record {
-		## Whether the query completed or not.
-		status: BrokerStore::QueryStatus;
-		## The result of the query.  Certain queries may use a particular
-		## data type (e.g. querying store size always returns a count, but
-		## a lookup may return various data types).
-		result: BrokerComm::Data;
-	};
+function set_endpoint_flags(flags: EndpointFlags &default = EndpointFlags()): bool
+    {
+    return __set_endpoint_flags(flags);
+    }
 
-	## Options to tune the SQLite storage backend.
-	type SQLiteOptions: record {
-		## File system path of the database.
-		path: string &default = "store.sqlite";
-	};
+function publish_topic(topic: string): bool
+    {
+    return __publish_topic(topic);
+    }
 
-	## Options to tune the RocksDB storage backend.
-	type RocksDBOptions: record {
-		## File system path of the database.
-		path: string &default = "store.rocksdb";
-	};
+function unpublish_topic(topic: string): bool
+    {
+    return __unpublish_topic(topic);
+    }
 
-	## Options to tune the particular storage backends.
-	type BackendOptions: record {
-		sqlite: SQLiteOptions &default = SQLiteOptions();
-		rocksdb: RocksDBOptions &default = RocksDBOptions();
-	};
-}
+function listen(p: port, a: string &default = "", reuse: bool &default = T): bool
+    {
+    return __listen(p, a, reuse);
+    }
+
+function connect(a: string, p: port, retry: interval): bool
+    {
+    return __connect(a, p, retry);
+    }
+
+function disconnect(a: string, p: port): bool
+    {
+    return __disconnect(a, p);
+    }
+
+function send_print(topic: string, msg: string, flags: SendFlags &default = SendFlags()): bool
+    {
+    return __send_print(topic, msg, flags);
+    }
+
+function subscribe_to_prints(topic_prefix: string): bool
+    {
+    return __subscribe_to_prints(topic_prefix);
+    }
+
+function unsubscribe_to_prints(topic_prefix: string): bool
+    {
+    return __unsubscribe_to_prints(topic_prefix);
+    }
+
+function send_event(topic: string, args: EventArgs, flags: SendFlags &default = SendFlags()): bool
+    {
+    return __event(topic, args, flags);
+    }
+
+function auto_event(topic: string, ev: any, flags: SendFlags &default = SendFlags()): bool
+    {
+    return __auto_event(topic, ev, flags);
+    }
+
+function auto_event_stop(topic: string, ev: any): bool
+    {
+    return __auto_event_stop(topic, ev);
+    }
+
+function subscribe_to_events(topic_prefix: string): bool
+    {
+    return __subscribe_to_events(topic_prefix);
+    }
+
+function unsubscribe_to_events(topic_prefix: string): bool
+    {
+    return __unsubscribe_to_events(topic_prefix);
+    }
+
+function enable_remote_logs(id: Log::ID, flags: SendFlags &default = SendFlags()): bool
+    {
+    return __enable_remote_logs(id, flags);
+    }
+
+function disable_remote_logs(id: Log::ID): bool
+    {
+    return __disable_remote_logs(id);
+    }
+
+function remote_logs_enabled(id: Log::ID): bool
+    {
+    return __remote_logs_enabled(id);
+    }
+
+function subscribe_to_logs(topic_prefix: string): bool
+    {
+    return __subscribe_to_logs(topic_prefix);
+    }
+
+function unsubscribe_to_logs(topic_prefix: string): bool
+    {
+    return __unsubscribe_to_logs(topic_prefix);
+    }
+
+@endif
diff --git a/scripts/base/frameworks/broker/store.bro b/scripts/base/frameworks/broker/store.bro
new file mode 100644
index 0000000000..8640e80648
--- /dev/null
+++ b/scripts/base/frameworks/broker/store.bro
@@ -0,0 +1,1105 @@
+##! Various data structure definitions for use with Bro's communication system.
+
+@load ./main
+@load base/bif/data.bif
+
+module Broker;
+
+export {
+
+	## Whether a data store query could be completed or not.
+	type QueryStatus: enum {
+		SUCCESS,
+		FAILURE,
+	};
+
+	## An expiry time for a key-value pair inserted in to a data store.
+	type ExpiryTime: record {
+		## Absolute point in time at which to expire the entry.
+		absolute: time &optional;
+		## A point in time relative to the last modification time at which
+		## to expire the entry.  New modifications will delay the expiration.
+		since_last_modification: interval &optional;
+	};
+
+	## The result of a data store query.
+	type QueryResult: record {
+		## Whether the query completed or not.
+		status: Broker::QueryStatus;
+		## The result of the query.  Certain queries may use a particular
+		## data type (e.g. querying store size always returns a count, but
+		## a lookup may return various data types).
+		result: Broker::Data;
+	};
+
+	## Enumerates the possible storage backends.
+	type BackendType: enum {
+		MEMORY,
+		SQLITE,
+		ROCKSDB,
+	};
+
+	## Options to tune the SQLite storage backend.
+	type SQLiteOptions: record {
+		## File system path of the database.
+		path: string &default = "store.sqlite";
+	};
+
+	## Options to tune the RocksDB storage backend.
+	type RocksDBOptions: record {
+		## File system path of the database.
+		path: string &default = "store.rocksdb";
+	};
+
+	## Options to tune the particular storage backends.
+	type BackendOptions: record {
+		sqlite: SQLiteOptions &default = SQLiteOptions();
+		rocksdb: RocksDBOptions &default = RocksDBOptions();
+	};
+
+@ifdef ( Broker::__enable )
+
+	## Create a master data store which contains key-value pairs.
+	##
+	## id: a unique name for the data store.
+	##
+	## b: the storage backend to use.
+	##
+	## options: tunes how some storage backends operate.
+	##
+	## Returns: a handle to the data store.
+	global create_master: function(id: string, b: BackendType &default = MEMORY,
+	                               options: BackendOptions &default = BackendOptions()): opaque of Broker::Handle;
+
+	## Create a clone of a master data store which may live with a remote peer.
+	## A clone automatically synchronizes to the master by automatically
+	## receiving modifications and applying them locally.  Direct modifications
+	## are not possible, they must be sent through the master store, which then
+	## automatically broadcasts the changes out to clones.  But queries may be
+	## made directly against the local cloned copy, which may be resolved
+	## quicker than reaching out to a remote master store.
+	##
+	## id: the unique name which identifies the master data store.
+	##
+	## b: the storage backend to use.
+	##
+	## options: tunes how some storage backends operate.
+	##
+	## resync: the interval at which to re-attempt synchronizing with the master
+	##         store should the connection be lost.  If the clone has not yet
+	##         synchronized for the first time, updates and queries queue up
+	##         until the synchronization completes.  After, if the connection
+	##         to the master store is lost, queries continue to use the clone's
+	##         version, but updates will be lost until the master is once again
+	##         available.
+	##
+	## Returns: a handle to the data store.
+	global create_clone: function(id: string, b: BackendType &default = MEMORY,
+	                              options: BackendOptions &default = BackendOptions(),
+	                              resync: interval &default = 1sec): opaque of Broker::Handle;
+
+	## Create a frontend interface to an existing master data store that allows
+	## querying and updating its contents.
+	##
+	## id: the unique name which identifies the master data store.
+	##
+	## Returns: a handle to the data store.
+	global create_frontend: function(id: string): opaque of Broker::Handle;
+
+	## Close a data store.
+	##
+	## h: a data store handle.
+	##
+	## Returns: true if store was valid and is now closed.  The handle can no
+	##          longer be used for data store operations.
+	global close_by_handle: function(h: opaque of Broker::Handle): bool;
+
+	###########################
+	# non-blocking update API #
+	###########################
+
+	## Insert a key-value pair in to the store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key to insert.
+	##
+	## v: the value to insert.
+	##
+	## e: the expiration time of the key-value pair.
+	##
+	## Returns: false if the store handle was not valid.
+	global insert: function(h: opaque of Broker::Handle,
+	                        k: Broker::Data, v: Broker::Data,
+	                        e: Broker::ExpiryTime &default = Broker::ExpiryTime()): bool;
+
+	## Remove a key-value pair from the store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key to remove.
+	##
+	## Returns: false if the store handle was not valid.
+	global erase: function(h: opaque of Broker::Handle, k: Broker::Data): bool;
+
+	## Remove all key-value pairs from the store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## Returns: false if the store handle was not valid.
+	global clear: function(h: opaque of Broker::Handle): bool;
+
+	## Increment an integer value in a data store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key whose associated value is to be modified.
+	##
+	## by: the amount to increment the value by.  A non-existent key will first
+	##     create it with an implicit value of zero before incrementing.
+	##
+	## Returns: false if the store handle was not valid.
+	global increment: function(h: opaque of Broker::Handle,
+	                           k: Broker::Data, by: int &default = +1): bool;
+
+	## Decrement an integer value in a data store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key whose associated value is to be modified.
+	##
+	## by: the amount to decrement the value by.  A non-existent key will first
+	##     create it with an implicit value of zero before decrementing.
+	##
+	## Returns: false if the store handle was not valid.
+	global decrement: function(h: opaque of Broker::Handle,
+	                           k: Broker::Data, by: int &default = +1): bool;
+
+	## Add an element to a set value in a data store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key whose associated value is to be modified.
+	##
+	## element: the element to add to the set.  A non-existent key will first
+	##          create it with an implicit empty set value before modifying.
+	##
+	## Returns: false if the store handle was not valid.
+	global add_to_set: function(h: opaque of Broker::Handle,
+	                            k: Broker::Data, element: Broker::Data): bool;
+
+	## Remove an element from a set value in a data store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key whose associated value is to be modified.
+	##
+	## element: the element to remove from the set.  A non-existent key will
+	##          implicitly create an empty set value associated with the key.
+	##
+	## Returns: false if the store handle was not valid.
+	global remove_from_set: function(h: opaque of Broker::Handle,
+	                                 k: Broker::Data, element: Broker::Data): bool;
+
+	## Add a new item to the head of a vector value in a data store.
+	##
+	## h: the handle of store to modify.
+	##
+	## k: the key whose associated value is to be modified.
+	##
+	## items: the element to insert in to the vector.  A non-existent key will
+	##        first create an empty vector value before modifying.
+	##
+	## Returns: false if the store handle was not valid.
+	global push_left: function(h: opaque of Broker::Handle, k: Broker::Data,
+	                           items: Broker::DataVector): bool;
+
+	## Add a new item to the tail of a vector value in a data store.
+	##
+	## h: the handle of store to modify.
+	##
+	## k: the key whose associated value is to be modified.
+	##
+	## items: the element to insert in to the vector.  A non-existent key will
+	##        first create an empty vector value before modifying.
+	##
+	## Returns: false if the store handle was not valid.
+	global push_right: function(h: opaque of Broker::Handle, k: Broker::Data,
+	                            items: Broker::DataVector): bool;
+
+	##########################
+	# non-blocking query API #
+	##########################
+
+	## Pop the head of a data store vector value.
+	##
+	## h: the handle of the store to query.
+	##
+	## k: the key associated with the vector to modify.
+	##
+	## Returns: the result of the query.
+	global pop_left: function(h: opaque of Broker::Handle,
+	                          k: Broker::Data): QueryResult;
+
+	## Pop the tail of a data store vector value.
+	##
+	## h: the handle of the store to query.
+	##
+	## k: the key associated with the vector to modify.
+	##
+	## Returns: the result of the query.
+	global pop_right: function(h: opaque of Broker::Handle,
+	                           k: Broker::Data): QueryResult;
+
+	## Lookup the value associated with a key in a data store.
+	##
+	## h: the handle of the store to query.
+	##
+	## k: the key to lookup.
+	##
+	## Returns: the result of the query.
+	global lookup: function(h: opaque of Broker::Handle,
+	                       k: Broker::Data): QueryResult;
+
+	## Check if a data store contains a given key.
+	##
+	## h: the handle of the store to query.
+	##
+	## k: the key to check for existence.
+	##
+	## Returns: the result of the query (uses :bro:see:`Broker::BOOL`).
+	global exists: function(h: opaque of Broker::Handle,
+	                        k: Broker::Data): QueryResult;
+
+	## Retrieve all keys in a data store.
+	##
+	## h: the handle of the store to query.
+	##
+	## Returns: the result of the query (uses :bro:see:`Broker::VECTOR`).
+	global keys: function(h: opaque of Broker::Handle): QueryResult;
+
+	## Get the number of key-value pairs in a data store.
+	##
+	## h: the handle of the store to query.
+	##
+	## Returns: the result of the query (uses :bro:see:`Broker::COUNT`).
+	global size: function(h: opaque of Broker::Handle): QueryResult;
+
+	##########################
+	# data API               #
+	##########################
+
+	## Convert any Bro value to communication data.
+	##
+	## d: any Bro value to attempt to convert (not all types are supported).
+	##
+	## Returns: the converted communication data.  The returned record's optional
+	##          field will not be set if the conversion was not possible (this can
+	##          happen if the Bro data type does not support being converted to
+	##          communication data).
+	global data: function(d: any): Broker::Data;
+
+	## Retrieve the type of data associated with communication data.
+	##
+	## d: the communication data.
+	##
+	## Returns: the data type associated with the communication data.
+	global data_type: function(d: Broker::Data): Broker::DataType;
+
+	## Convert communication data with a type of :bro:see:`Broker::BOOL` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_bool: function(d: Broker::Data): bool;
+
+	## Convert communication data with a type of :bro:see:`Broker::INT` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_int: function(d: Broker::Data): int;
+
+	## Convert communication data with a type of :bro:see:`Broker::COUNT` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_count: function(d: Broker::Data): count;
+
+	## Convert communication data with a type of :bro:see:`Broker::DOUBLE` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_double: function(d: Broker::Data): double;
+
+	## Convert communication data with a type of :bro:see:`Broker::STRING` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_string: function(d: Broker::Data): string;
+
+	## Convert communication data with a type of :bro:see:`Broker::ADDR` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_addr: function(d: Broker::Data): addr;
+
+	## Convert communication data with a type of :bro:see:`Broker::SUBNET` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_subnet: function(d: Broker::Data): subnet;
+
+	## Convert communication data with a type of :bro:see:`Broker::PORT` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_port: function(d: Broker::Data): port;
+
+	## Convert communication data with a type of :bro:see:`Broker::TIME` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_time: function(d: Broker::Data): time;
+
+	## Convert communication data with a type of :bro:see:`Broker::INTERVAL` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_interval: function(d: Broker::Data): interval;
+
+	## Convert communication data with a type of :bro:see:`Broker::ENUM` to
+	## the name of the enum value.  :bro:see:`lookup_ID` may be used to convert
+	## the name to the actual enum value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the enum name retrieved from the communication data.
+	global refine_to_enum_name: function(d: Broker::Data): string;
+
+	## Create communication data of type "set".
+	global set_create: function(): Broker::Data;
+
+	## Remove all elements within a set.
+	##
+	## s: the set to clear.
+	##
+	## Returns: always true.
+	global set_clear: function(s: Broker::Data): bool;
+
+	## Get the number of elements within a set.
+	##
+	## s: the set to query.
+	##
+	## Returns: the number of elements in the set.
+	global set_size: function(s: Broker::Data): count;
+
+	## Check if a set contains a particular element.
+	##
+	## s: the set to query.
+	##
+	## key: the element to check for existence.
+	##
+	## Returns: true if the key exists in the set.
+	global set_contains: function(s: Broker::Data, key: Broker::Data): bool;
+
+	## Insert an element into a set.
+	##
+	## s: the set to modify.
+	##
+	## key: the element to insert.
+	##
+	## Returns: true if the key was inserted, or false if it already existed.
+	global set_insert: function(s: Broker::Data, key: Broker::Data): bool;
+
+	## Remove an element from a set.
+	##
+	## s: the set to modify.
+	##
+	## key: the element to remove.
+	##
+	## Returns: true if the element existed in the set and is now removed.
+	global set_remove: function(s: Broker::Data, key: Broker::Data): bool;
+
+	## Create an iterator for a set.  Note that this makes a copy of the set
+	## internally to ensure the iterator is always valid.
+	##
+	## s: the set to iterate over.
+	##
+	## Returns: an iterator.
+	global set_iterator: function(s: Broker::Data): opaque of Broker::SetIterator;
+
+	## Check if there are no more elements to iterate over.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if there are no more elements to iterator over, i.e.
+	##          the iterator is one-past-the-final-element.
+	global set_iterator_last: function(it: opaque of Broker::SetIterator): bool;
+
+	## Advance an iterator.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if the iterator, after advancing, still references an element
+	##          in the collection.  False if the iterator, after advancing, is
+	##          one-past-the-final-element.
+	global set_iterator_next: function(it: opaque of Broker::SetIterator): bool;
+
+	## Retrieve the data at an iterator's current position.
+	##
+	## it: an iterator.
+	##
+	## Returns: element in the collection that the iterator currently references.
+	global set_iterator_value: function(it: opaque of Broker::SetIterator): Broker::Data;
+
+	## Create communication data of type "table".
+	global table_create: function(): Broker::Data;
+
+	## Remove all elements within a table.
+	##
+	## t: the table to clear.
+	##
+	## Returns: always true.
+	global table_clear: function(t: Broker::Data): bool;
+
+	## Get the number of elements within a table.
+	##
+	## t: the table to query.
+	##
+	## Returns: the number of elements in the table.
+	global table_size: function(t: Broker::Data): count;
+
+	## Check if a table contains a particular key.
+	##
+	## t: the table to query.
+	##
+	## key: the key to check for existence.
+	##
+	## Returns: true if the key exists in the table.
+	global table_contains: function(t: Broker::Data, key: Broker::Data): bool;
+
+	## Insert a key-value pair into a table.
+	##
+	## t: the table to modify.
+	##
+	## key: the key at which to insert the value.
+	##
+	## val: the value to insert.
+	##
+	## Returns: true if the key-value pair was inserted, or false if the key
+	##          already existed in the table.
+	global table_insert: function(t: Broker::Data, key: Broker::Data, val: Broker::Data): Broker::Data;
+
+	## Remove a key-value pair from a table.
+	##
+	## t: the table to modify.
+	##
+	## key: the key to remove from the table.
+	##
+	## Returns: the value associated with the key.  If the key did not exist, then
+	##          the optional field of the returned record is not set.
+	global table_remove: function(t: Broker::Data, key: Broker::Data): Broker::Data;
+
+	## Retrieve a value from a table.
+	##
+	## t: the table to query.
+	##
+	## key: the key to lookup.
+	##
+	## Returns: the value associated with the key.  If the key did not exist, then
+	##          the optional field of the returned record is not set.
+	global table_lookup: function(t: Broker::Data, key: Broker::Data): Broker::Data;
+
+	## Create an iterator for a table.  Note that this makes a copy of the table
+	## internally to ensure the iterator is always valid.
+	##
+	## t: the table to iterate over.
+	##
+	## Returns: an iterator.
+	global table_iterator: function(t: Broker::Data): opaque of Broker::TableIterator;
+
+	## Check if there are no more elements to iterate over.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if there are no more elements to iterator over, i.e.
+	##          the iterator is one-past-the-final-element.
+	global table_iterator_last: function(it: opaque of Broker::TableIterator): bool;
+
+	## Advance an iterator.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if the iterator, after advancing, still references an element
+	##          in the collection.  False if the iterator, after advancing, is
+	##          one-past-the-final-element.
+	global table_iterator_next: function(it: opaque of Broker::TableIterator): bool;
+
+	## Retrieve the data at an iterator's current position.
+	##
+	## it: an iterator.
+	##
+	## Returns: element in the collection that the iterator currently references.
+	global table_iterator_value: function(it: opaque of Broker::TableIterator): Broker::TableItem;
+
+	## Create communication data of type "vector".
+	global vector_create: function(): Broker::Data;
+
+	## Remove all elements within a vector.
+	##
+	## v: the vector to clear.
+	##
+	## Returns: always true.
+	global vector_clear: function(v: Broker::Data): bool;
+
+	## Get the number of elements within a vector.
+	##
+	## v: the vector to query.
+	##
+	## Returns: the number of elements in the vector.
+	global vector_size: function(v: Broker::Data): count;
+
+	## Insert an element into a vector at a particular position, possibly displacing
+	## existing elements (insertion always grows the size of the vector by one).
+	##
+	## v: the vector to modify.
+	##
+	## d: the element to insert.
+	##
+	## idx: the index at which to insert the data.  If it is greater than the
+	##      current size of the vector, the element is inserted at the end.
+	##
+	## Returns: always true.
+	global vector_insert: function(v: Broker::Data, d: Broker::Data, idx: count): bool;
+
+	## Replace an element in a vector at a particular position.
+	##
+	## v: the vector to modify.
+	##
+	## d: the element to insert.
+	##
+	## idx: the index to replace.
+	##
+	## Returns: the value that was just evicted.  If the index was larger than any
+	##          valid index, the optional field of the returned record is not set.
+	global vector_replace: function(v: Broker::Data, d: Broker::Data, idx: count): Broker::Data;
+
+	## Remove an element from a vector at a particular position.
+	##
+	## v: the vector to modify.
+	##
+	## idx: the index to remove.
+	##
+	## Returns: the value that was just evicted.  If the index was larger than any
+	##          valid index, the optional field of the returned record is not set.
+	global vector_remove: function(v: Broker::Data, idx: count): Broker::Data;
+
+	## Lookup an element in a vector at a particular position.
+	##
+	## v: the vector to query.
+	##
+	## idx: the index to lookup.
+	##
+	## Returns: the value at the index.  If the index was larger than any
+	##          valid index, the optional field of the returned record is not set.
+	global vector_lookup: function(v: Broker::Data, idx: count): Broker::Data;
+
+	## Create an iterator for a vector.  Note that this makes a copy of the vector
+	## internally to ensure the iterator is always valid.
+	##
+	## v: the vector to iterate over.
+	##
+	## Returns: an iterator.
+	global vector_iterator: function(v: Broker::Data): opaque of Broker::VectorIterator;
+
+	## Check if there are no more elements to iterate over.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if there are no more elements to iterator over, i.e.
+	##          the iterator is one-past-the-final-element.
+	global vector_iterator_last: function(it: opaque of Broker::VectorIterator): bool;
+
+	## Advance an iterator.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if the iterator, after advancing, still references an element
+	##          in the collection.  False if the iterator, after advancing, is
+	##          one-past-the-final-element.
+	global vector_iterator_next: function(it: opaque of Broker::VectorIterator): bool;
+
+	## Retrieve the data at an iterator's current position.
+	##
+	## it: an iterator.
+	##
+	## Returns: element in the collection that the iterator currently references.
+	global vector_iterator_value: function(it: opaque of Broker::VectorIterator): Broker::Data;
+
+	## Create communication data of type "record".
+	##
+	## sz: the number of fields in the record.
+	##
+	## Returns: record data, with all fields uninitialized.
+	global record_create: function(sz: count): Broker::Data;
+
+	## Get the number of fields within a record.
+	##
+	## r: the record to query.
+	##
+	## Returns: the number of fields in the record.
+	global record_size: function(r: Broker::Data): count;
+
+	## Replace a field in a record at a particular position.
+	##
+	## r: the record to modify.
+	##
+	## d: the new field value to assign.
+	##
+	## idx: the index to replace.
+	##
+	## Returns: false if the index was larger than any valid index, else true.
+	global record_assign: function(r: Broker::Data, d: Broker::Data, idx: count): bool;
+
+	## Lookup a field in a record at a particular position.
+	##
+	## r: the record to query.
+	##
+	## idx: the index to lookup.
+	##
+	## Returns: the value at the index.  The optional field of the returned record
+	##          may not be set if the field of the record has no value or if the
+	##          index was not valid.
+	global record_lookup: function(r: Broker::Data, idx: count): Broker::Data;
+
+	## Create an iterator for a record.  Note that this makes a copy of the record
+	## internally to ensure the iterator is always valid.
+	##
+	## r: the record to iterate over.
+	##
+	## Returns: an iterator.
+	global record_iterator: function(r: Broker::Data): opaque of Broker::RecordIterator;
+
+	## Check if there are no more elements to iterate over.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if there are no more elements to iterator over, i.e.
+	##          the iterator is one-past-the-final-element.
+	global record_iterator_last: function(it: opaque of Broker::RecordIterator): bool;
+
+	## Advance an iterator.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if the iterator, after advancing, still references an element
+	##          in the collection.  False if the iterator, after advancing, is
+	##          one-past-the-final-element.
+	global record_iterator_next: function(it: opaque of Broker::RecordIterator): bool;
+
+	## Retrieve the data at an iterator's current position.
+	##
+	## it: an iterator.
+	##
+	## Returns: element in the collection that the iterator currently references.
+	global record_iterator_value: function(it: opaque of Broker::RecordIterator): Broker::Data;
+
+@endif
+}
+
+@load base/bif/store.bif
+
+module Broker;
+
+@ifdef ( Broker::__enable )
+
+function create_master(id: string, b: BackendType &default = MEMORY,
+                       options: BackendOptions &default = BackendOptions()): opaque of Broker::Handle
+	{
+	return __create_master(id, b, options);
+	}
+
+function create_clone(id: string, b: BackendType &default = MEMORY,
+                      options: BackendOptions &default = BackendOptions(),
+                      resync: interval &default = 1sec): opaque of Broker::Handle
+	{
+	return __create_clone(id, b, options, resync);
+	}
+
+function create_frontend(id: string): opaque of Broker::Handle
+	{
+	return __create_frontend(id);
+	}
+
+function close_by_handle(h: opaque of Broker::Handle): bool
+	{
+	return __close_by_handle(h);
+	}
+
+function insert(h: opaque of Broker::Handle, k: Broker::Data, v: Broker::Data,
+                e: Broker::ExpiryTime &default = Broker::ExpiryTime()): bool
+	{
+	return __insert(h, k, v, e);
+	}
+
+function erase(h: opaque of Broker::Handle, k: Broker::Data): bool
+	{
+	return __erase(h, k);
+	}
+
+function clear(h: opaque of Broker::Handle): bool
+	{
+	return __clear(h);
+	}
+
+function increment(h: opaque of Broker::Handle,
+                           k: Broker::Data, by: int &default = +1): bool
+	{
+	return __increment(h, k, by);
+	}
+
+function decrement(h: opaque of Broker::Handle,
+                           k: Broker::Data, by: int &default = +1): bool
+	{
+	return __decrement(h, k, by);
+	}
+
+function add_to_set(h: opaque of Broker::Handle,
+                            k: Broker::Data, element: Broker::Data): bool
+	{
+	return __add_to_set(h, k, element);
+	}
+
+function remove_from_set(h: opaque of Broker::Handle,
+                                 k: Broker::Data, element: Broker::Data): bool
+	{
+	return __remove_from_set(h, k, element);
+	}
+
+function push_left(h: opaque of Broker::Handle, k: Broker::Data,
+                           items: Broker::DataVector): bool
+	{
+	return __push_left(h, k, items);
+	}
+
+function push_right(h: opaque of Broker::Handle, k: Broker::Data,
+                            items: Broker::DataVector): bool
+	{
+	return __push_right(h, k, items);
+	}
+
+function pop_left(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
+	{
+	return __pop_left(h, k);
+	}
+
+function pop_right(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
+	{
+	return __pop_right(h, k);
+	}
+
+function lookup(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
+	{
+	return __lookup(h, k);
+	}
+
+function exists(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
+	{
+	return __exists(h, k);
+	}
+
+function keys(h: opaque of Broker::Handle): QueryResult
+	{
+	return __keys(h);
+	}
+
+function size(h: opaque of Broker::Handle): QueryResult
+	{
+	return __size(h);
+	}
+
+function data(d: any): Broker::Data
+	{
+	return __data(d);
+	}
+
+function data_type(d: Broker::Data): Broker::DataType
+	{
+	return __data_type(d);
+	}
+
+function refine_to_bool(d: Broker::Data): bool
+	{
+	return __refine_to_bool(d);
+	}
+
+function refine_to_int(d: Broker::Data): int
+	{
+	return __refine_to_int(d);
+	}
+
+function refine_to_count(d: Broker::Data): count
+	{
+	return __refine_to_count(d);
+	}
+
+function refine_to_double(d: Broker::Data): double
+	{
+	return __refine_to_double(d);
+	}
+
+function refine_to_string(d: Broker::Data): string
+	{
+	return __refine_to_string(d);
+	}
+
+function refine_to_addr(d: Broker::Data): addr
+	{
+	return __refine_to_addr(d);
+	}
+
+function refine_to_subnet(d: Broker::Data): subnet
+	{
+	return __refine_to_subnet(d);
+	}
+
+function refine_to_port(d: Broker::Data): port
+	{
+	return __refine_to_port(d);
+	}
+
+function refine_to_time(d: Broker::Data): time
+	{
+	return __refine_to_time(d);
+	}
+
+function refine_to_interval(d: Broker::Data): interval
+	{
+	return __refine_to_interval(d);
+	}
+
+function refine_to_enum_name(d: Broker::Data): string
+	{
+	return __refine_to_enum_name(d);
+	}
+
+function set_create(): Broker::Data
+	{
+	return __set_create();
+	}
+
+function set_clear(s: Broker::Data): bool
+	{
+	return __set_clear(s);
+	}
+
+function set_size(s: Broker::Data): count
+	{
+	return __set_size(s);
+	}
+
+function set_contains(s: Broker::Data, key: Broker::Data): bool
+	{
+	return __set_contains(s, key);
+	}
+
+function set_insert(s: Broker::Data, key: Broker::Data): bool
+	{
+	return __set_insert(s, key);
+	}
+
+function set_remove(s: Broker::Data, key: Broker::Data): bool
+	{
+	return __set_remove(s, key);
+	}
+
+function set_iterator(s: Broker::Data): opaque of Broker::SetIterator
+	{
+	return __set_iterator(s);
+	}
+
+function set_iterator_last(it: opaque of Broker::SetIterator): bool
+	{
+	return __set_iterator_last(it);
+	}
+
+function set_iterator_next(it: opaque of Broker::SetIterator): bool
+	{
+	return __set_iterator_next(it);
+	}
+
+function set_iterator_value(it: opaque of Broker::SetIterator): Broker::Data
+	{
+	return __set_iterator_value(it);
+	}
+
+function table_create(): Broker::Data
+	{
+	return __table_create();
+	}
+
+function table_clear(t: Broker::Data): bool
+	{
+	return __table_clear(t);
+	}
+
+function table_size(t: Broker::Data): count
+	{
+	return __table_size(t);
+	}
+
+function table_contains(t: Broker::Data, key: Broker::Data): bool
+	{
+	return __table_contains(t, key);
+	}
+
+function table_insert(t: Broker::Data, key: Broker::Data, val: Broker::Data): Broker::Data
+	{
+	return __table_insert(t, key, val);
+	}
+
+function table_remove(t: Broker::Data, key: Broker::Data): Broker::Data
+	{
+	return __table_remove(t, key);
+	}
+
+function table_lookup(t: Broker::Data, key: Broker::Data): Broker::Data
+	{
+	return __table_lookup(t, key);
+	}
+
+function table_iterator(t: Broker::Data): opaque of Broker::TableIterator
+	{
+	return __table_iterator(t);
+	}
+
+function table_iterator_last(it: opaque of Broker::TableIterator): bool
+	{
+	return __table_iterator_last(it);
+	}
+
+function table_iterator_next(it: opaque of Broker::TableIterator): bool
+	{
+	return __table_iterator_next(it);
+	}
+
+function table_iterator_value(it: opaque of Broker::TableIterator): Broker::TableItem
+	{
+	return __table_iterator_value(it);
+	}
+
+function vector_create(): Broker::Data
+	{
+	return __vector_create();
+	}
+
+function vector_clear(v: Broker::Data): bool
+	{
+	return __vector_clear(v);
+	}
+
+function vector_size(v: Broker::Data): count
+	{
+	return __vector_size(v);
+	}
+
+function vector_insert(v: Broker::Data, d: Broker::Data, idx: count): bool
+	{
+	return __vector_insert(v, d, idx);
+	}
+
+function vector_replace(v: Broker::Data, d: Broker::Data, idx: count): Broker::Data
+	{
+	return __vector_replace(v, d, idx);
+	}
+
+function vector_remove(v: Broker::Data, idx: count): Broker::Data
+	{
+	return __vector_remove(v, idx);
+	}
+
+function vector_lookup(v: Broker::Data, idx: count): Broker::Data
+	{
+	return __vector_lookup(v, idx);
+	}
+
+function vector_iterator(v: Broker::Data): opaque of Broker::VectorIterator
+	{
+	return __vector_iterator(v);
+	}
+
+function vector_iterator_last(it: opaque of Broker::VectorIterator): bool
+	{
+	return __vector_iterator_last(it);
+	}
+
+function vector_iterator_next(it: opaque of Broker::VectorIterator): bool
+	{
+	return __vector_iterator_next(it);
+	}
+
+function vector_iterator_value(it: opaque of Broker::VectorIterator): Broker::Data
+	{
+	return __vector_iterator_value(it);
+	}
+
+function record_create(sz: count): Broker::Data
+	{
+	return __record_create(sz);
+	}
+
+function record_size(r: Broker::Data): count
+	{
+	return __record_size(r);
+	}
+
+function record_assign(r: Broker::Data, d: Broker::Data, idx: count): bool
+	{
+	return __record_assign(r, d, idx);
+	}
+
+function record_lookup(r: Broker::Data, idx: count): Broker::Data
+	{
+	return __record_lookup(r, idx);
+	}
+
+function record_iterator(r: Broker::Data): opaque of Broker::RecordIterator
+	{
+	return __record_iterator(r);
+	}
+
+function record_iterator_last(it: opaque of Broker::RecordIterator): bool
+	{
+	return __record_iterator_last(it);
+	}
+
+function record_iterator_next(it: opaque of Broker::RecordIterator): bool
+	{
+	return __record_iterator_next(it);
+	}
+
+function record_iterator_value(it: opaque of Broker::RecordIterator): Broker::Data
+	{
+	return __record_iterator_value(it);
+	}
+
+@endif
diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro
index 3451cb4169..55fc084641 100644
--- a/scripts/base/frameworks/cluster/main.bro
+++ b/scripts/base/frameworks/cluster/main.bro
@@ -68,7 +68,7 @@ export {
 	## Events raised by TimeMachine instances and handled by workers.
 	const tm2worker_events = /EMPTY/ &redef;
 
-	## Events sent by the control host (i.e. BroControl) when dynamically
+	## Events sent by the control host (i.e., BroControl) when dynamically
 	## connecting to a running instance to update settings or request data.
 	const control_events = Control::controller_events &redef;
 
diff --git a/scripts/base/frameworks/files/magic/archive.sig b/scripts/base/frameworks/files/magic/archive.sig
index 9b95f33b25..2e4336a2ca 100644
--- a/scripts/base/frameworks/files/magic/archive.sig
+++ b/scripts/base/frameworks/files/magic/archive.sig
@@ -174,3 +174,8 @@ signature file-lzma {
 	file-magic /^\x5d\x00\x00/
 }
 
+# ACE archive file.
+signature file-ace-archive {
+    file-mime "application/x-ace", 100
+    file-magic /^.{7}\*\*ACE\*\*/
+}
diff --git a/scripts/base/frameworks/files/magic/audio.sig b/scripts/base/frameworks/files/magic/audio.sig
index efba99ed0d..9b4d7da66b 100644
--- a/scripts/base/frameworks/files/magic/audio.sig
+++ b/scripts/base/frameworks/files/magic/audio.sig
@@ -2,7 +2,7 @@
 # MPEG v3 audio
 signature file-mpeg-audio {
 	file-mime "audio/mpeg", 20
-	file-magic /^\xff[\xe2\xe3\xf2\xf3\xf6\xf7\xfa\xfb\xfc\xfd]/
+	file-magic /^(ID3|\xff[\xe2\xe3\xf2\xf3\xf6\xf7\xfa\xfb\xfc\xfd])/
 }
 
 # MPEG v4 audio
diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index 268412ff05..bea6ae9ece 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -9,53 +9,53 @@ signature file-plaintext {
 
 signature file-json {
 	file-mime "text/json", 1
-	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\{[\x0d\x0a[:blank:]]*(["][^"]{1,}["]|[a-zA-Z][a-zA-Z0-9\\_]*)[\x0d\x0a[:blank:]]*:[\x0d\x0a[:blank:]]*(["]|\[|\{|[0-9]|true|false)/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?[\x0d\x0a[:blank:]]*\{[\x0d\x0a[:blank:]]*(["][^"]{1,}["]|[a-zA-Z][a-zA-Z0-9\\_]*)[\x0d\x0a[:blank:]]*:[\x0d\x0a[:blank:]]*(["]|\[|\{|[0-9]|true|false)/
 }
 
 signature file-json2 {
 	file-mime "text/json", 1
-	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\[[\x0d\x0a[:blank:]]*(((["][^"]{1,}["]|[0-9]{1,}(\.[0-9]{1,})?|true|false)[\x0d\x0a[:blank:]]*,)|\{|\[)[\x0d\x0a[:blank:]]*/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?[\x0d\x0a[:blank:]]*\[[\x0d\x0a[:blank:]]*(((["][^"]{1,}["]|[0-9]{1,}(\.[0-9]{1,})?|true|false)[\x0d\x0a[:blank:]]*,)|\{|\[)[\x0d\x0a[:blank:]]*/
 }
 
 # Match empty JSON documents.
 signature file-json3 {
 	file-mime "text/json", 0
-	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*(\[\]|\{\})[\x0d\x0a[:blank:]]*$/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?[\x0d\x0a[:blank:]]*(\[\]|\{\})[\x0d\x0a[:blank:]]*$/
 }
 
 signature file-xml {
 	file-mime "application/xml", 10
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<\?xml /
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*\x00?<\x00?\?\x00?x\x00?m\x00?l\x00? \x00?/
 }
 
 signature file-xhtml {
 	file-mime "text/html", 100
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL]|[mM][eE][tT][aA] {1,}[hH][tT][tT][pP]-[eE][qQ][uU][iI][vV])/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL]|[mM][eE][tT][aA] {1,}[hH][tT][tT][pP]-[eE][qQ][uU][iI][vV])/
 }
 
 signature file-html {
 	file-mime "text/html", 49
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]/
 }
 
 signature file-html2 {
 	file-mime "text/html", 20
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<([hH][eE][aA][dD]|[hH][tT][mM][lL]|[tT][iI][tT][lL][eE]|[bB][oO][dD][yY])/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<([hH][eE][aA][dD]|[hH][tT][mM][lL]|[tT][iI][tT][lL][eE]|[bB][oO][dD][yY])/
 }
 
 signature file-rss {
 	file-mime "text/rss", 90
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[rR][sS][sS]/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[rR][sS][sS]/
 }
 
 signature file-atom {
 	file-mime "text/atom", 100
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<([rR][sS][sS][^>]*xmlns:atom|[fF][eE][eE][dD][^>]*xmlns=["']?http:\/\/www.w3.org\/2005\/Atom["']?)/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<([rR][sS][sS][^>]*xmlns:atom|[fF][eE][eE][dD][^>]*xmlns=["']?http:\/\/www.w3.org\/2005\/Atom["']?)/
 }
 
 signature file-soap {
 	file-mime "application/soap+xml", 49
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[sS][oO][aA][pP](-[eE][nN][vV])?:[eE][nN][vV][eE][lL][oO][pP][eE]/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[sS][oO][aA][pP](-[eE][nN][vV])?:[eE][nN][vV][eE][lL][oO][pP][eE]/
 }
 
 signature file-cross-domain-policy {
@@ -70,7 +70,7 @@ signature file-cross-domain-policy2 {
 
 signature file-xmlrpc {
 	file-mime "application/xml-rpc", 49
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[mM][eE][tT][hH][oO][dD][rR][eE][sS][pP][oO][nN][sS][eE]>/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[mM][eE][tT][hH][oO][dD][rR][eE][sS][pP][oO][nN][sS][eE]>/
 }
 
 signature file-coldfusion {
@@ -81,7 +81,13 @@ signature file-coldfusion {
 # Adobe Flash Media Manifest
 signature file-f4m {
 	file-mime "application/f4m", 49
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[mM][aA][nN][iI][fF][eE][sS][tT][\x0d\x0a[:blank:]]{1,}xmlns=\"http:\/\/ns\.adobe\.com\/f4m\//
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[mM][aA][nN][iI][fF][eE][sS][tT][\x0d\x0a[:blank:]]{1,}xmlns=\"http:\/\/ns\.adobe\.com\/f4m\//
+}
+
+# .ini style files
+signature file-ini {
+	file-mime "text/ini", 20
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?[\x00\x0d\x0a[:blank:]]*\[[^\x0d\x0a]+\][[:blank:]\x00]*[\x0d\x0a]/
 }
 
 # Microsoft LNK files
@@ -90,6 +96,41 @@ signature file-lnk {
 	file-magic /^\x4C\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x10\x00\x00\x00\x46/
 }
 
+# Microsoft Registry policies
+signature file-pol {
+	file-mime "application/vnd.ms-pol", 49
+	file-magic /^PReg/
+}
+
+# Old style Windows registry file
+signature file-reg {
+	file-mime "application/vnd.ms-reg", 49
+	file-magic /^REGEDIT4/
+}
+
+# Newer Windows registry file
+signature file-reg-utf16 {
+	file-mime "application/vnd.ms-reg", 49
+	file-magic /^\xFF\xFEW\x00i\x00n\x00d\x00o\x00w\x00s\x00 \x00R\x00e\x00g\x00i\x00s\x00t\x00r\x00y\x00 \x00E\x00d\x00i\x00t\x00o\x00r\x00 \x00V\x00e\x00r\x00s\x00i\x00o\x00n\x00 \x005\x00\.\x000\x000/
+}
+
+# Microsoft Registry format (typically DESKTOP.DAT)
+signature file-regf {
+	file-mime "application vnd.ms-regf", 49
+	file-magic /^\x72\x65\x67\x66/
+}
+
+# Microsoft Outlook PST files
+signature file-pst {
+	file-mime "application/vnd.ms-outlook", 49
+	file-magic /!BDN......[\x0e\x0f\x15\x17][\x00-\x02]/
+}
+
+signature file-afpinfo {
+	file-mime "application/vnd.apple-afpinfo"
+	file-magic /^AFP/
+}
+
 signature file-jar {
 	file-mime "application/java-archive", 100
 	file-magic /^PK\x03\x04.{1,200}\x14\x00..META-INF\/MANIFEST\.MF/
diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro
index eba27ca56a..28e8a40baa 100644
--- a/scripts/base/frameworks/intel/main.bro
+++ b/scripts/base/frameworks/intel/main.bro
@@ -77,23 +77,34 @@ export {
 		## The type of data that the indicator represents.
 		indicator_type:  Type          &log &optional;
 
-		## If the indicator type was :bro:enum:`Intel::ADDR`, then this 
+		## If the indicator type was :bro:enum:`Intel::ADDR`, then this
 		## field will be present.
 		host:            addr          &optional;
 
 		## Where the data was discovered.
 		where:           Where         &log;
-		
+
 		## The name of the node where the match was discovered.
 		node:            string        &optional &log;
 
-		## If the data was discovered within a connection, the 
+		## If the data was discovered within a connection, the
 		## connection record should go here to give context to the data.
 		conn:            connection    &optional;
 
+		## If the data was discovered within a connection, the
+		## connection uid should go here to give context to the data.
+		## If the *conn* field is provided, this will be automatically
+		## filled out.
+		uid:             string        &optional;
+
 		## If the data was discovered within a file, the file record
 		## should go here to provide context to the data.
 		f:               fa_file       &optional;
+
+		## If the data was discovered within a file, the file uid should
+		## go here to provide context to the data. If the *f* field is
+		## provided, this will be automatically filled out.
+		fuid:            string        &optional;
 	};
 
 	## Record used for the logging framework representing a positive
@@ -112,7 +123,8 @@ export {
 		## If a file was associated with this intelligence hit,
 		## this is the uid for the file.
 		fuid:           string   &log &optional;
-		## A mime type if the intelligence hit is related to a file.  
+
+		## A mime type if the intelligence hit is related to a file.
 		## If the $f field is provided this will be automatically filled
 		## out.
 		file_mime_type: string   &log &optional;
@@ -283,15 +295,14 @@ event Intel::match(s: Seen, items: set[Item]) &priority=5
 
 	if ( s?$f )
 		{
+		s$fuid = s$f$id;
+
 		if ( s$f?$conns && |s$f$conns| == 1 )
 			{
 			for ( cid in s$f$conns )
 				s$conn = s$f$conns[cid];
 			}
 
-		if ( ! info?$fuid )
-			info$fuid = s$f$id;
-
 		if ( ! info?$file_mime_type && s$f?$info && s$f$info?$mime_type )
 			info$file_mime_type = s$f$info$mime_type;
 
@@ -299,12 +310,18 @@ event Intel::match(s: Seen, items: set[Item]) &priority=5
 			info$file_desc = Files::describe(s$f);
 		}
 
+	if ( s?$fuid )
+		info$fuid = s$fuid;
+
 	if ( s?$conn )
 		{
-		info$uid = s$conn$uid;
+		s$uid = s$conn$uid;
 		info$id  = s$conn$id;
 		}
 
+	if ( s?$uid )
+		info$uid = s$uid;
+
 	for ( item in items )
 		add info$sources[item$meta$source];
 
diff --git a/scripts/base/frameworks/netcontrol/__load__.bro b/scripts/base/frameworks/netcontrol/__load__.bro
new file mode 100644
index 0000000000..a8e391f7c8
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/__load__.bro
@@ -0,0 +1,15 @@
+@load ./types
+@load ./main
+@load ./plugins
+@load ./drop
+@load ./shunt
+@load ./catch-and-release
+
+# The cluster framework must be loaded first.
+@load base/frameworks/cluster
+
+@if ( Cluster::is_enabled() )
+@load ./cluster
+@else
+@load ./non-cluster
+@endif
diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.bro
new file mode 100644
index 0000000000..a95954ac07
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro
@@ -0,0 +1,104 @@
+##! Implementation of catch-and-release functionality for NetControl.
+
+module NetControl;
+
+@load ./main
+@load ./drop
+
+export {
+	## Stops all packets involving an IP address from being forwarded. This function
+	## uses catch-and-release functionality, where the IP address is only dropped for
+	## a short amount of time that is incremented steadily when the IP is encountered
+	## again.
+	##
+	## a: The address to be dropped.
+	##
+	## t: How long to drop it, with 0 being indefinitly.
+	##
+	## location: An optional string describing where the drop was triggered.
+	##
+	## Returns: The id of the inserted rule on succes and zero on failure.
+	global drop_address_catch_release: function(a: addr, location: string &default="") : string;
+
+        ## Time intervals for which a subsequent drops of the same IP take
+        ## effect.
+	const catch_release_intervals: vector of interval = vector(10min, 1hr, 24hrs, 7days) &redef;
+}
+
+function per_block_interval(t: table[addr] of count, idx: addr): interval
+	{
+	local ct = t[idx];
+
+	# watch for the time of the next block...
+	local blocktime = catch_release_intervals[ct];
+	if ( (ct+1) in catch_release_intervals )
+		blocktime = catch_release_intervals[ct+1];
+
+	return blocktime;
+	}
+
+# This is the internally maintained table containing all the currently going on catch-and-release
+# blocks.
+global blocks: table[addr] of count = {}
+	&create_expire=0secs
+	&expire_func=per_block_interval;
+
+function current_block_interval(s: set[addr], idx: addr): interval
+	{
+	if ( idx !in blocks )
+		{
+		Reporter::error(fmt("Address %s not in blocks while inserting into current_blocks!", idx));
+		return 0sec;
+		}
+
+	return catch_release_intervals[blocks[idx]];
+	}
+
+global current_blocks: set[addr] = set()
+	&create_expire=0secs
+	&expire_func=current_block_interval;
+
+function drop_address_catch_release(a: addr, location: string &default=""): string
+	{
+	if ( a in blocks )
+		{
+		Reporter::warning(fmt("Address %s already blocked using catch-and-release - ignoring duplicate", a));
+		return "";
+		}
+
+	local block_interval = catch_release_intervals[0];
+	local ret = drop_address(a, block_interval, location);
+	if ( ret != "" )
+		{
+		blocks[a] = 0;
+		add current_blocks[a];
+		}
+
+	return ret;
+	}
+
+function check_conn(a: addr)
+	{
+	if ( a in blocks )
+		{
+		if ( a in current_blocks )
+			# block has not been applied yet?
+			return;
+
+		# ok, this one returned again while still in the backoff period.
+		local try = blocks[a];
+		if ( (try+1) in catch_release_intervals )
+			++try;
+
+		blocks[a] = try;
+		add current_blocks[a];
+		local block_interval = catch_release_intervals[try];
+		drop_address(a, block_interval, "Re-drop by catch-and-release");
+		}
+	}
+
+event new_connection(c: connection)
+	{
+	# let's only check originating connections...
+	check_conn(c$id$orig_h);
+	}
diff --git a/scripts/base/frameworks/netcontrol/cluster.bro b/scripts/base/frameworks/netcontrol/cluster.bro
new file mode 100644
index 0000000000..7f635b4375
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/cluster.bro
@@ -0,0 +1,99 @@
+##! Cluster support for the NetControl framework.
+
+@load ./main
+@load base/frameworks/cluster
+
+module NetControl;
+
+export {
+	## This is the event used to transport add_rule calls to the manager.
+	global cluster_netcontrol_add_rule: event(r: Rule);
+
+	## This is the event used to transport remove_rule calls to the manager.
+	global cluster_netcontrol_remove_rule: event(id: string);
+}
+
+## Workers need ability to forward commands to manager.
+redef Cluster::worker2manager_events += /NetControl::cluster_netcontrol_(add|remove)_rule/;
+## Workers need to see the result events from the manager.
+redef Cluster::manager2worker_events += /NetControl::rule_(added|removed|timeout|error)/;
+
+
+function activate(p: PluginState, priority: int)
+	{
+	# we only run the activate function on the manager.
+	if ( Cluster::local_node_type() != Cluster::MANAGER )
+		return;
+
+	activate_impl(p, priority);
+	}
+
+global local_rule_count: count = 1;
+
+function add_rule(r: Rule) : string
+	{
+	if ( Cluster::local_node_type() == Cluster::MANAGER )
+		return add_rule_impl(r);
+	else
+		{
+		if ( r$id == "" )
+			r$id = cat(Cluster::node, ":", ++local_rule_count);
+
+		event NetControl::cluster_netcontrol_add_rule(r);
+		return r$id;
+		}
+	}
+
+function remove_rule(id: string) : bool
+	{
+	if ( Cluster::local_node_type() == Cluster::MANAGER )
+		return remove_rule_impl(id);
+	else
+		{
+		event NetControl::cluster_netcontrol_remove_rule(id);
+		return T; # well, we can't know here. So - just hope...
+		}
+	}
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+event NetControl::cluster_netcontrol_add_rule(r: Rule)
+	{
+	add_rule_impl(r);
+	}
+
+event NetControl::cluster_netcontrol_remove_rule(id: string)
+	{
+	remove_rule_impl(id);
+	}
+@endif
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+event rule_expire(r: Rule, p: PluginState) &priority=-5
+	{
+	rule_expire_impl(r, p);
+	}
+
+event rule_added(r: Rule, p: PluginState, msg: string &default="") &priority=5
+	{
+	rule_added_impl(r, p, msg);
+
+	if ( r?$expire && r$expire > 0secs && ! p$plugin$can_expire )
+		schedule r$expire { rule_expire(r, p) };
+	}
+
+event rule_removed(r: Rule, p: PluginState, msg: string &default="") &priority=-5
+	{
+	rule_removed_impl(r, p, msg);
+	}
+
+event rule_timeout(r: Rule, i: FlowInfo, p: PluginState) &priority=-5
+	{
+	rule_timeout_impl(r, i, p);
+	}
+
+event rule_error(r: Rule, p: PluginState, msg: string &default="") &priority=-5
+	{
+	rule_error_impl(r, p, msg);
+	}
+@endif
+
diff --git a/scripts/base/frameworks/netcontrol/drop.bro b/scripts/base/frameworks/netcontrol/drop.bro
new file mode 100644
index 0000000000..63c70f0e88
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/drop.bro
@@ -0,0 +1,98 @@
+##! Implementation of the drop functionality for NetControl.
+
+module NetControl;
+
+@load ./main
+
+export {
+	redef enum Log::ID += { DROP };
+
+	## Stops all packets involving an IP address from being forwarded.
+	##
+	## a: The address to be dropped.
+	##
+	## t: How long to drop it, with 0 being indefinitly.
+	##
+	## location: An optional string describing where the drop was triggered.
+	##
+	## Returns: The id of the inserted rule on succes and zero on failure.
+	global drop_address: function(a: addr, t: interval, location: string &default="") : string;
+
+	## Stops all packets involving an connection address from being forwarded.
+	##
+	## c: The connection to be dropped.
+	##
+	## t: How long to drop it, with 0 being indefinitly.
+	##
+	## location: An optional string describing where the drop was triggered.
+	##
+	## Returns: The id of the inserted rule on succes and zero on failure.
+	global drop_connection: function(c: conn_id, t: interval, location: string &default="") : string;
+
+	type DropInfo: record {
+		## Time at which the recorded activity occurred.
+		ts: time		&log;
+		## ID of the rule; unique during each Bro run
+		rule_id: string  &log;
+		orig_h: addr 	&log;	##< The originator's IP address.
+		orig_p: port 	&log &optional;	##< The originator's port number.
+		resp_h: addr	&log &optional;	##< The responder's IP address.
+		resp_p: port	&log &optional;	##< The responder's port number.
+		## Expiry time of the shunt
+		expire: interval &log;
+		## Location where the underlying action was triggered.
+		location: string	&log &optional;
+	};
+
+	## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
+	## record as it is sent on to the logging framework.
+	global log_netcontrol_drop: event(rec: DropInfo);
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(NetControl::DROP, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop"]);
+	}
+
+function drop_connection(c: conn_id, t: interval, location: string &default="") : string
+	{
+	local e: Entity = [$ty=CONNECTION, $conn=c];
+	local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];
+
+	local id = add_rule(r);
+
+	# Error should already be logged
+	if ( id == "" )
+		return id;
+
+	local log = DropInfo($ts=network_time(), $rule_id=id, $orig_h=c$orig_h, $orig_p=c$orig_p, $resp_h=c$resp_h, $resp_p=c$resp_p, $expire=t);
+
+	if ( location != "" )
+		log$location=location;
+
+	Log::write(DROP, log);
+
+	return id;
+	}
+
+function drop_address(a: addr, t: interval, location: string &default="") : string
+	{
+	local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)];
+	local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];
+
+	local id = add_rule(r);
+
+	# Error should already be logged
+	if ( id == "" )
+		return id;
+
+	local log = DropInfo($ts=network_time(), $rule_id=id, $orig_h=a, $expire=t);
+
+	if ( location != "" )
+		log$location=location;
+
+	Log::write(DROP, log);
+
+	return id;
+	}
+
diff --git a/scripts/base/frameworks/netcontrol/main.bro b/scripts/base/frameworks/netcontrol/main.bro
new file mode 100644
index 0000000000..65537ed9cf
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/main.bro
@@ -0,0 +1,938 @@
+##! Bro's packet aquisition and control framework.
+##!
+##! This plugin-based framework allows to control the traffic that Bro monitors
+##! as well as, if having access to the forwarding path, the traffic the network
+##! forwards. By default, the framework lets everything through, to both Bro
+##! itself as well as on the network. Scripts can then add rules to impose
+##! restrictions on entities, such as specific connections or IP addresses.
+##!
+##! This framework has two APIs: a high-level and low-level. The high-level API
+##! provides convinience functions for a set of common operations. The
+##! low-level API provides full flexibility.
+
+module NetControl;
+
+@load ./plugin
+@load ./types
+
+export {
+	## The framework's logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	# ###
+	# ###  Generic functions and events.
+	# ###
+
+	## Activates a plugin.
+	##
+	## p: The plugin to acticate.
+	##
+	## priority: The higher the priority, the earlier this plugin will be checked
+	##           whether it supports an operation, relative to other plugins.
+	global activate: function(p: PluginState, priority: int);
+
+	## Event that is used to initialize plugins. Place all plugin initialization
+	## related functionality in this event.
+	global NetControl::init: event();
+
+	## Event that is raised once all plugins activated in ``NetControl::init``
+	## have finished their initialization.
+	global NetControl::init_done: event();
+
+	# ###
+	# ### High-level API.
+	# ###
+
+	# ### Note - other high level primitives are in catch-and-release.bro, shunt.bro and
+	# ### drop.bro
+
+	## Allows all traffic involving a specific IP address to be forwarded.
+	##
+	## a: The address to be whitelistet.
+	##
+	## t: How long to whitelist it, with 0 being indefinitly.
+	##
+	## location: An optional string describing whitelist was triddered.
+	##
+	## Returns: The id of the inserted rule on succes and zero on failure.
+	global whitelist_address: function(a: addr, t: interval, location: string &default="") : string;
+
+	## Allows all traffic involving a specific IP subnet to be forwarded.
+	##
+	## s: The subnet to be whitelistet.
+	##
+	## t: How long to whitelist it, with 0 being indefinitly.
+	##
+	## location: An optional string describing whitelist was triddered.
+	##
+	## Returns: The id of the inserted rule on succes and zero on failure.
+	global whitelist_subnet: function(s: subnet, t: interval, location: string &default="") : string;
+
+	## Redirects an uni-directional flow to another port.
+	##
+	## f: The flow to redirect.
+	##
+	## out_port: Port to redirect the flow to
+	##
+	## t: How long to leave the redirect in place, with 0 being indefinitly.
+	##
+	## location: An optional string describing where the redirect was triggered.
+	##
+	## Returns: The id of the inserted rule on succes and zero on failure.
+	global redirect_flow: function(f: flow_id, out_port: count, t: interval, location: string &default="") : string;
+
+	## Quarantines a host by redirecting rewriting DNS queries to the network dns server dns
+	## to the host. Host has to answer to all queries with its own address. Only http communication
+	## from infected to quarantinehost is allowed.
+	##
+	## infected: the host to quarantine
+	##
+	## dns: the network dns server
+	##
+	## quarantine: the quarantine server running a dns and a web server
+	##
+	## t: how long to leave the quarantine in place
+	##
+	## Returns: Vector of inserted rules on success, empty list on failure.
+	global quarantine_host: function(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string;
+
+	## Flushes all state.
+	global clear: function();
+
+	# ###
+	# ### Low-level API.
+	# ###
+
+	###### Manipulation of rules.
+
+	## Installs a rule.
+	##
+	## r: The rule to install.
+	##
+	## Returns: If succesful, returns an ID string unique to the rule that can
+	##          later be used to refer to it. If unsuccessful, returns an empty
+	##          string. The ID is also assigned to ``r$id``. Note that
+	##          "successful" means "a plugin knew how to handle the rule", it
+	##          doesn't necessarily mean that it was indeed successfully put in
+	##          place, because that might happen asynchronously and thus fail
+	##          only later.
+	global add_rule: function(r: Rule) : string;
+
+	## Removes a rule.
+	##
+	## id: The rule to remove, specified as the ID returned by :bro:id:`NetControl::add_rule`.
+	##
+	## Returns: True if succesful, the relevant plugin indicated that it knew
+	##          how to handle the removal. Note that again "success" means the
+	##          plugin accepted the removal. They might still fail to put it
+	##          into effect, as that might happen asynchronously and thus go
+	##          wrong at that point.
+	global remove_rule: function(id: string) : bool;
+
+	## Searches all rules affecting a certain IP address.
+	##
+	## ip: The ip address to search for
+	##
+	## Returns: vector of all rules affecting the IP address
+	global find_rules_addr: function(ip: addr) : vector of Rule;
+
+	## Searches all rules affecting a certain subnet.
+	##
+	## sn: The subnet to search for
+	##
+	## Returns: vector of all rules affecting the subnet
+	global find_rules_subnet: function(sn: subnet) : vector of Rule;
+
+	###### Asynchronous feedback on rules.
+
+	## Confirms that a rule was put in place.
+	##
+	## r: The rule now in place.
+	##
+	## p: The state for the plugin that put it into place.
+	##
+	## msg: An optional informational message by the plugin.
+	global rule_added: event(r: Rule, p: PluginState, msg: string &default="");
+
+	## Reports that a rule was removed due to a remove: function() call.
+	##
+	## r: The rule now removed.
+	##
+	## p: The state for the plugin that had the rule in place and now
+	##    removed it.
+	##
+	## msg: An optional informational message by the plugin.
+	global rule_removed: event(r: Rule, p: PluginState, msg: string &default="");
+
+	## Reports that a rule was removed internally due to a timeout.
+	##
+	## r: The rule now removed.
+	##
+	## i: Additional flow information, if supported by the protocol.
+	##
+	## p: The state for the plugin that had the rule in place and now
+	##    removed it.
+	##
+	## msg: An optional informational message by the plugin.
+	global rule_timeout: event(r: Rule, i: FlowInfo, p: PluginState);
+
+	## Reports an error when operating on a rule.
+	##
+	## r: The rule that encountered an error.
+	##
+	## p: The state for the plugin that reported the error.
+	##
+	## msg: An optional informational message by the plugin.
+	global rule_error: event(r: Rule, p: PluginState, msg: string &default="");
+
+	## Hook that allows the modification of rules passed to add_rule before they
+	## are passed on to the plugins. If one of the hooks uses break, the rule is
+	## ignored and not passed on to any plugin.
+	##
+	## r: The rule to be added
+	global NetControl::rule_policy: hook(r: Rule);
+
+	##### Plugin functions
+
+	## Function called by plugins once they finished their activation. After all
+	## plugins defined in bro_init finished to activate, rules will start to be sent
+	## to the plugins. Rules that scripts try to set before the backends are ready
+	## will be discarded.
+	global plugin_activated: function(p: PluginState);
+
+	## Type of an entry in the NetControl log.
+	type InfoCategory: enum {
+		## A log entry reflecting a framework message.
+		MESSAGE,
+		## A log entry reflecting a framework message.
+		ERROR,
+		## A log entry about about a rule.
+		RULE
+	};
+
+	## State of an  entry in the NetControl log.
+	type InfoState: enum {
+		REQUESTED,
+		SUCCEEDED,
+		FAILED,
+		REMOVED,
+		TIMEOUT,
+	};
+
+	## The record type defining the column fields of the NetControl log.
+	type Info: record {
+		## Time at which the recorded activity occurred.
+		ts: time		&log;
+		## ID of the rule; unique during each Bro run
+		rule_id: string  &log &optional;
+		## Type of the log entry.
+		category: InfoCategory	&log &optional;
+		## The command the log entry is about.
+		cmd: string	&log &optional;
+		## State the log entry reflects.
+		state: InfoState	&log &optional;
+		## String describing an action the entry is about.
+		action: string		&log &optional;
+		## The target type of the action.
+		target: TargetType	&log &optional;
+		## Type of the entity the log entry is about.
+		entity_type: string		&log &optional;
+		## String describing the entity the log entry is about.
+		entity: string		&log &optional;
+		## String describing the optional modification of the entry (e.h. redirect)
+		mod: string		&log &optional;
+		## String with an additional message.
+		msg: string		&log &optional;
+		## Number describing the priority of the log entry
+		priority: int &log &optional;
+		## Expiry time of the log entry
+		expire: interval &log &optional;
+		## Location where the underlying action was triggered.
+		location: string	&log &optional;
+		## Plugin triggering the log entry.
+		plugin: string		&log &optional;
+	};
+
+	## Event that can be handled to access the :bro:type:`NetControl::Info`
+	## record as it is sent on to the logging framework.
+	global log_netcontrol: event(rec: Info);
+}
+
+redef record Rule += {
+	##< Internally set to the plugins handling the rule.
+	_plugin_ids: set[count] &default=count_set();
+	##< Internally set to the plugins on which the rule is currently active.
+	_active_plugin_ids: set[count] &default=count_set();
+	##< Track if the rule was added succesfully by all responsible plugins.
+	_added: bool &default=F;
+};
+
+# Variable tracking the state of plugin activation. Once all plugins that
+# have been added in bro_init are activated, this will switch to T and
+# the event NetControl::init_done will be raised.
+global plugins_active: bool = F;
+
+# Set to true at the end of bro_init (with very low priority).
+# Used to track when plugin activation could potentially be finished
+global bro_init_done: bool = F;
+
+# The counters that are used to generate the rule and plugin IDs
+global rule_counter: count = 1;
+global plugin_counter: count = 1;
+
+# List of the currently active plugins
+global plugins: vector of PluginState;
+global plugin_ids: table[count] of PluginState;
+
+# These tables hold information about rules.
+global rules: table[string] of Rule; # Rules indexed by id and cid
+
+# All rules that apply to a certain subnet/IP address.
+global rules_by_subnets: table[subnet] of set[string];
+
+# Rules pertaining to a specific entity.
+# There always only can be one rule of each type for one entity.
+global rule_entities: table[Entity, RuleType] of Rule;
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(NetControl::LOG, [$columns=Info, $ev=log_netcontrol, $path="netcontrol"]);
+	}
+
+function entity_to_info(info: Info, e: Entity)
+	{
+	info$entity_type = fmt("%s", e$ty);
+
+	switch ( e$ty ) {
+		case ADDRESS:
+			info$entity = fmt("%s", e$ip);
+			break;
+
+		case CONNECTION:
+			info$entity = fmt("%s/%d<->%s/%d",
+					  e$conn$orig_h, e$conn$orig_p,
+					  e$conn$resp_h, e$conn$resp_p);
+			break;
+
+		case FLOW:
+			local ffrom_ip = "*";
+			local ffrom_port = "*";
+			local fto_ip = "*";
+			local fto_port = "*";
+			local ffrom_mac = "*";
+			local fto_mac = "*";
+			if ( e$flow?$src_h )
+				ffrom_ip = cat(e$flow$src_h);
+			if ( e$flow?$src_p )
+				ffrom_port = fmt("%d", e$flow$src_p);
+			if ( e$flow?$dst_h )
+				fto_ip = cat(e$flow$dst_h);
+			if ( e$flow?$dst_p )
+				fto_port = fmt("%d", e$flow$dst_p);
+			info$entity = fmt("%s/%s->%s/%s",
+					  ffrom_ip, ffrom_port,
+					  fto_ip, fto_port);
+			if ( e$flow?$src_m || e$flow?$dst_m )
+				{
+				if ( e$flow?$src_m )
+					ffrom_mac = e$flow$src_m;
+				if ( e$flow?$dst_m )
+					fto_mac = e$flow$dst_m;
+
+				info$entity = fmt("%s (%s->%s)", info$entity, ffrom_mac, fto_mac);
+				}
+			break;
+
+		case MAC:
+			info$entity = e$mac;
+			break;
+
+		default:
+			info$entity = "<unknown entity type>";
+			break;
+		}
+	}
+
+function rule_to_info(info: Info, r: Rule)
+	{
+	info$action = fmt("%s", r$ty);
+	info$target = r$target;
+	info$rule_id = r$id;
+	info$expire = r$expire;
+	info$priority = r$priority;
+
+	if ( r?$location && r$location != "" )
+		info$location = r$location;
+
+	if ( r$ty == REDIRECT )
+		info$mod = fmt("-> %d", r$out_port);
+
+	if ( r$ty == MODIFY )
+		{
+		local mfrom_ip = "_";
+		local mfrom_port = "_";
+		local mto_ip = "_";
+		local mto_port = "_";
+		local mfrom_mac = "_";
+		local mto_mac = "_";
+		if ( r$mod?$src_h )
+			mfrom_ip = cat(r$mod$src_h);
+		if ( r$mod?$src_p )
+			mfrom_port = fmt("%d", r$mod$src_p);
+		if ( r$mod?$dst_h )
+			mto_ip = cat(r$mod$dst_h);
+		if ( r$mod?$dst_p )
+			mto_port = fmt("%d", r$mod$dst_p);
+
+		if ( r$mod?$src_m )
+			mfrom_mac = r$mod$src_m;
+		if ( r$mod?$dst_m )
+			mto_mac = r$mod$dst_m;
+
+		info$mod = fmt("Src: %s/%s (%s) Dst: %s/%s (%s)",
+			mfrom_ip, mfrom_port, mfrom_mac, mto_ip, mto_port, mto_mac);
+
+		if ( r$mod?$redirect_port )
+			info$mod = fmt("%s -> %d", info$mod, r$mod$redirect_port);
+
+		}
+
+	entity_to_info(info, r$entity);
+	}
+
+function log_msg(msg: string, p: PluginState)
+	{
+	Log::write(LOG, [$ts=network_time(), $category=MESSAGE, $msg=msg, $plugin=p$plugin$name(p)]);
+	}
+
+function log_error(msg: string, p: PluginState)
+	{
+	Log::write(LOG, [$ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)]);
+	}
+
+function log_msg_no_plugin(msg: string)
+	{
+	Log::write(LOG, [$ts=network_time(), $category=MESSAGE, $msg=msg]);
+	}
+
+function log_rule(r: Rule, cmd: string, state: InfoState, p: PluginState, msg: string &default="")
+	{
+	local info: Info = [$ts=network_time()];
+	info$category = RULE;
+	info$cmd = cmd;
+	info$state = state;
+	info$plugin = p$plugin$name(p);
+	if ( msg != "" )
+		info$msg = msg;
+
+	rule_to_info(info, r);
+
+	Log::write(LOG, info);
+	}
+
+function log_rule_error(r: Rule, msg: string, p: PluginState)
+	{
+	local info: Info = [$ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)];
+	rule_to_info(info, r);
+	Log::write(LOG, info);
+	}
+
+function log_rule_no_plugin(r: Rule, state: InfoState, msg: string)
+	{
+	local info: Info  = [$ts=network_time()];
+	info$category = RULE;
+	info$state = state;
+	info$msg = msg;
+
+	rule_to_info(info, r);
+
+	Log::write(LOG, info);
+	}
+
+function whitelist_address(a: addr, t: interval, location: string &default="") : string
+	{
+	local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)];
+	local r: Rule = [$ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location];
+
+	return add_rule(r);
+	}
+
+function whitelist_subnet(s: subnet, t: interval, location: string &default="") : string
+	{
+	local e: Entity = [$ty=ADDRESS, $ip=s];
+	local r: Rule = [$ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location];
+
+	return add_rule(r);
+	}
+
+
+function redirect_flow(f: flow_id, out_port: count, t: interval, location: string &default="") : string
+	{
+	local flow = NetControl::Flow(
+		$src_h=addr_to_subnet(f$src_h),
+		$src_p=f$src_p,
+		$dst_h=addr_to_subnet(f$dst_h),
+		$dst_p=f$dst_p
+	);
+	local e: Entity = [$ty=FLOW, $flow=flow];
+	local r: Rule = [$ty=REDIRECT, $target=FORWARD, $entity=e, $expire=t, $location=location, $out_port=out_port];
+
+	return add_rule(r);
+	}
+
+function quarantine_host(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string
+	{
+	local orules: vector of string = vector();
+	local edrop: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected))];
+	local rdrop: Rule = [$ty=DROP, $target=FORWARD, $entity=edrop, $expire=t, $location=location];
+	orules[|orules|] = add_rule(rdrop);
+
+	local todnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(dns), $dst_p=53/udp)];
+	local todnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=todnse, $expire=t, $location=location, $mod=FlowMod($dst_h=quarantine), $priority=+5);
+	orules[|orules|] = add_rule(todnsr);
+
+	local fromdnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(dns), $src_p=53/udp, $dst_h=addr_to_subnet(infected))];
+	local fromdnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=fromdnse, $expire=t, $location=location, $mod=FlowMod($src_h=dns), $priority=+5);
+	orules[|orules|] = add_rule(fromdnsr);
+
+	local wle: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(quarantine), $dst_p=80/tcp)];
+	local wlr = Rule($ty=WHITELIST, $target=FORWARD, $entity=wle, $expire=t, $location=location, $priority=+5);
+	orules[|orules|] = add_rule(wlr);
+
+	return orules;
+	}
+
+function check_plugins()
+	{
+	if ( plugins_active )
+		return;
+
+	local all_active = T;
+	for ( i in plugins )
+		{
+		local p = plugins[i];
+		if ( p$_activated == F )
+			all_active = F;
+		}
+
+	if ( all_active )
+		{
+		plugins_active = T;
+
+		# Skip log message if there are no plugins
+		if ( |plugins| > 0 )
+			log_msg_no_plugin("plugin initialization done");
+
+		event NetControl::init_done();
+		}
+	}
+
+function plugin_activated(p: PluginState)
+	{
+	local id = p$_id;
+	if ( id !in plugin_ids )
+		{
+		log_error("unknown plugin activated", p);
+		return;
+		}
+	plugin_ids[id]$_activated = T;
+	log_msg("activation finished", p);
+
+	if ( bro_init_done )
+		check_plugins();
+	}
+
+event bro_init() &priority=-5
+	{
+	event NetControl::init();
+	}
+
+event NetControl::init() &priority=-20
+	{
+	bro_init_done = T;
+
+	check_plugins();
+
+	if ( plugins_active == F )
+		log_msg_no_plugin("waiting for plugins to initialize");
+	}
+
+# Low-level functions that only runs on the manager (or standalone) Bro node.
+
+function activate_impl(p: PluginState, priority: int)
+	{
+	p$_priority = priority;
+	plugins[|plugins|] = p;
+	sort(plugins, function(p1: PluginState, p2: PluginState) : int { return p2$_priority - p1$_priority; });
+
+	plugin_ids[plugin_counter] = p;
+	p$_id = plugin_counter;
+	++plugin_counter;
+
+	# perform one-time initialization
+	if ( p$plugin?$init )
+		{
+		log_msg(fmt("activating plugin with priority %d", priority), p);
+		p$plugin$init(p);
+		}
+	else
+		{
+		# no initialization necessary, mark plugin as active right away
+		plugin_activated(p);
+		}
+
+	}
+
+function add_one_subnet_entry(s: subnet, r: Rule)
+	{
+	if ( ! check_subnet(s, rules_by_subnets) )
+		rules_by_subnets[s] = set(r$id);
+	else
+		add rules_by_subnets[s][r$id];
+	}
+
+function add_subnet_entry(rule: Rule)
+	{
+	local e = rule$entity;
+	if ( e$ty == ADDRESS )
+		{
+		add_one_subnet_entry(e$ip, rule);
+		}
+	else if ( e$ty == CONNECTION )
+		{
+		add_one_subnet_entry(addr_to_subnet(e$conn$orig_h), rule);
+		add_one_subnet_entry(addr_to_subnet(e$conn$resp_h), rule);
+		}
+	else if ( e$ty == FLOW )
+		{
+		if ( e$flow?$src_h )
+			add_one_subnet_entry(e$flow$src_h, rule);
+		if ( e$flow?$dst_h )
+			add_one_subnet_entry(e$flow$dst_h, rule);
+		}
+	}
+
+function remove_one_subnet_entry(s: subnet, r: Rule)
+	{
+	if ( ! check_subnet(s, rules_by_subnets) )
+		return;
+
+	if ( r$id !in rules_by_subnets[s] )
+		return;
+
+	delete rules_by_subnets[s][r$id];
+	if ( |rules_by_subnets[s]| == 0 )
+		delete rules_by_subnets[s];
+	}
+
+function remove_subnet_entry(rule: Rule)
+	{
+	local e = rule$entity;
+	if ( e$ty == ADDRESS )
+		{
+		remove_one_subnet_entry(e$ip, rule);
+		}
+	else if ( e$ty == CONNECTION )
+		{
+		remove_one_subnet_entry(addr_to_subnet(e$conn$orig_h), rule);
+		remove_one_subnet_entry(addr_to_subnet(e$conn$resp_h), rule);
+		}
+	else if ( e$ty == FLOW )
+		{
+		if ( e$flow?$src_h )
+			remove_one_subnet_entry(e$flow$src_h, rule);
+		if ( e$flow?$dst_h )
+			remove_one_subnet_entry(e$flow$dst_h, rule);
+		}
+	}
+
+function find_rules_subnet(sn: subnet) : vector of Rule
+	{
+	local ret: vector of Rule = vector();
+
+	local matches = matching_subnets(sn, rules_by_subnets);
+
+	for ( m in matches )
+		{
+		local sn_entry = matches[m];
+		local rule_ids = rules_by_subnets[sn_entry];
+		for ( rule_id in rules_by_subnets[sn_entry] )
+			{
+			if ( rule_id in rules )
+				ret[|ret|] = rules[rule_id];
+			else
+				Reporter::error("find_rules_subnet - internal data structure error, missing rule");
+			}
+		}
+
+		return ret;
+	}
+
+function find_rules_addr(ip: addr) : vector of Rule
+	{
+	return find_rules_subnet(addr_to_subnet(ip));
+	}
+
+function add_rule_impl(rule: Rule) : string
+	{
+	if ( ! plugins_active )
+		{
+		log_rule_no_plugin(rule, FAILED, "plugins not initialized yet");
+		return "";
+		}
+
+	rule$cid = ++rule_counter; # numeric id that can be used by plugins for their rules.
+
+	if ( ! rule?$id || rule$id == "" )
+		rule$id = cat(rule$cid);
+
+	if ( ! hook NetControl::rule_policy(rule) )
+		return "";
+
+	if ( [rule$entity, rule$ty] in rule_entities )
+		{
+		log_rule_no_plugin(rule, FAILED, "discarded duplicate insertion");
+		return "";
+		}
+
+	local accepted = F;
+	local priority: int = +0;
+
+	for ( i in plugins )
+		{
+		local p = plugins[i];
+
+		if ( p$_activated == F )
+			next;
+
+		# in this case, rule was accepted by earlier plugin and this plugin has a lower
+		# priority. Abort and do not send there...
+		if ( accepted == T && p$_priority != priority )
+			break;
+
+		if ( p$plugin$add_rule(p, rule) )
+			{
+			accepted = T;
+			priority = p$_priority;
+			log_rule(rule, "ADD", REQUESTED, p);
+
+			add rule$_plugin_ids[p$_id];
+			}
+		}
+
+	if ( accepted )
+		{
+		rules[rule$id] = rule;
+		rule_entities[rule$entity, rule$ty] = rule;
+
+		add_subnet_entry(rule);
+
+		return rule$id;
+		}
+
+	log_rule_no_plugin(rule, FAILED, "not supported");
+	return "";
+	}
+
+function remove_rule_plugin(r: Rule, p: PluginState): bool
+	{
+	local success = T;
+
+	if ( ! p$plugin$remove_rule(p, r) )
+		{
+		# still continue and send to other plugins
+		log_rule_error(r, "remove failed", p);
+		success = F;
+		}
+		else
+		{
+		log_rule(r, "REMOVE", REQUESTED, p);
+		}
+
+	return success;
+	}
+
+function remove_rule_impl(id: string) : bool
+	{
+	if ( id !in rules )
+		{
+		Reporter::error(fmt("Rule %s does not exist in NetControl::remove_rule", id));
+		return F;
+		}
+
+	local r = rules[id];
+
+	local success = T;
+	for ( plugin_id in r$_active_plugin_ids )
+		{
+		local p = plugin_ids[plugin_id];
+		success = remove_rule_plugin(r, p);
+		}
+
+	return success;
+	}
+
+function rule_expire_impl(r: Rule, p: PluginState) &priority=-5
+	{
+	# do not emit timeout events on shutdown
+	if ( bro_is_terminating() )
+		return;
+
+	if ( r$id !in rules )
+		# Removed already.
+		return;
+
+	event NetControl::rule_timeout(r, FlowInfo(), p); # timeout implementation will handle the removal
+	}
+
+function rule_added_impl(r: Rule, p: PluginState, msg: string &default="")
+	{
+	if ( r$id !in rules )
+		{
+		log_rule_error(r, "Addition of unknown rule", p);
+		return;
+		}
+
+	# use our version to prevent operating on copies.
+	local rule = rules[r$id];
+	if ( p$_id !in rule$_plugin_ids )
+		{
+		log_rule_error(rule, "Rule added to non-responsible plugin", p);
+		return;
+		}
+
+	log_rule(r, "ADD", SUCCEEDED, p, msg);
+
+	add rule$_active_plugin_ids[p$_id];
+	if ( |rule$_plugin_ids| == |rule$_active_plugin_ids| )
+		{
+		# rule was completely added.
+		rule$_added = T;
+		}
+	}
+
+function rule_cleanup(r: Rule)
+	{
+	if ( |r$_active_plugin_ids| > 0 )
+		return;
+
+	remove_subnet_entry(r);
+
+	delete rule_entities[r$entity, r$ty];
+	delete rules[r$id];
+	}
+
+function rule_removed_impl(r: Rule, p: PluginState, msg: string &default="")
+	{
+	if ( r$id !in rules )
+		{
+		log_rule_error(r, "Removal of non-existing rule", p);
+		return;
+		}
+
+	# use our version to prevent operating on copies.
+	local rule = rules[r$id];
+
+	if ( p$_id !in rule$_plugin_ids )
+		{
+		log_rule_error(r, "Removed from non-assigned plugin", p);
+		return;
+		}
+
+	if ( p$_id in rule$_active_plugin_ids )
+		{
+		delete rule$_active_plugin_ids[p$_id];
+		}
+
+	log_rule(rule, "REMOVE", SUCCEEDED, p, msg);
+	rule_cleanup(rule);
+	}
+
+function rule_timeout_impl(r: Rule, i: FlowInfo, p: PluginState)
+	{
+	if ( r$id !in rules )
+		{
+		log_rule_error(r, "Timeout of non-existing rule", p);
+		return;
+		}
+
+	local rule = rules[r$id];
+
+	local msg = "";
+	if ( i?$packet_count )
+		msg = fmt("Packets: %d", i$packet_count);
+	if ( i?$byte_count )
+		{
+		if ( msg != "" )
+			msg = msg + " ";
+		msg = fmt("%sBytes: %s", msg, i$byte_count);
+		}
+
+	log_rule(rule, "EXPIRE", TIMEOUT, p, msg);
+
+	if ( ! p$plugin$can_expire )
+		{
+		# in this case, we actually have to delete the rule and the timeout
+		# call just originated locally
+		remove_rule_plugin(rule, p);
+		return;
+		}
+
+	if ( p$_id !in rule$_plugin_ids )
+		{
+		log_rule_error(r, "Timeout from non-assigned plugin", p);
+		return;
+		}
+
+	if ( p$_id in rule$_active_plugin_ids )
+		{
+		delete rule$_active_plugin_ids[p$_id];
+		}
+
+	rule_cleanup(rule);
+	}
+
+function rule_error_impl(r: Rule, p: PluginState, msg: string &default="")
+	{
+	if ( r$id !in rules )
+		{
+		log_rule_error(r, "Error of non-existing rule", p);
+		return;
+		}
+
+	local rule = rules[r$id];
+
+	log_rule_error(rule, msg, p);
+
+	# Remove the plugin both from active and all plugins of the rule. If there
+	# are no plugins left afterwards - delete it
+	if ( p$_id !in rule$_plugin_ids )
+		{
+		log_rule_error(r, "Error from non-assigned plugin", p);
+		return;
+		}
+
+	if ( p$_id in rule$_active_plugin_ids )
+		{
+		# error during removal. Let's pretend it worked.
+		delete rule$_plugin_ids[p$_id];
+		delete rule$_active_plugin_ids[p$_id];
+		rule_cleanup(rule);
+		}
+	else
+		{
+		# error during insertion. Meh. If we are the only plugin, remove the rule again.
+		# Otherwhise - keep it, minus us.
+		delete rule$_plugin_ids[p$_id];
+		if ( |rule$_plugin_ids| == 0 )
+			{
+			rule_cleanup(rule);
+			}
+		}
+	}
+
+function clear()
+	{
+	for ( id in rules )
+		remove_rule(id);
+	}
diff --git a/scripts/base/frameworks/netcontrol/non-cluster.bro b/scripts/base/frameworks/netcontrol/non-cluster.bro
new file mode 100644
index 0000000000..4098586be4
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/non-cluster.bro
@@ -0,0 +1,47 @@
+module NetControl;
+
+@load ./main
+
+function activate(p: PluginState, priority: int)
+	{
+	activate_impl(p, priority);
+	}
+
+function add_rule(r: Rule) : string
+	{
+	return add_rule_impl(r);
+	}
+
+function remove_rule(id: string) : bool
+	{
+	return remove_rule_impl(id);
+	}
+
+event rule_expire(r: Rule, p: PluginState) &priority=-5
+	{
+	rule_expire_impl(r, p);
+	}
+
+event rule_added(r: Rule, p: PluginState, msg: string &default="") &priority=5
+	{
+	rule_added_impl(r, p, msg);
+
+	if ( r?$expire && r$expire > 0secs && ! p$plugin$can_expire )
+		schedule r$expire { rule_expire(r, p) };
+	}
+
+event rule_removed(r: Rule, p: PluginState, msg: string &default="") &priority=-5
+	{
+	rule_removed_impl(r, p, msg);
+	}
+
+event rule_timeout(r: Rule, i: FlowInfo, p: PluginState) &priority=-5
+	{
+	rule_timeout_impl(r, i, p);
+	}
+
+event rule_error(r: Rule, p: PluginState, msg: string &default="") &priority=-5
+	{
+	rule_error_impl(r, p, msg);
+	}
+
diff --git a/scripts/base/frameworks/netcontrol/plugin.bro b/scripts/base/frameworks/netcontrol/plugin.bro
new file mode 100644
index 0000000000..7d0ee13a81
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/plugin.bro
@@ -0,0 +1,89 @@
+##! Plugin interface  for NetControl backends.
+
+module NetControl;
+
+@load ./types
+
+export {
+	## State for a plugin instance.
+	type PluginState: record {
+		## Table for a plugin to store custom, instance-specfific state. 
+		config: table[string] of string &default=table();
+
+		## Unique plugin identifier -- used for backlookup of plugins from Rules. Set internally.
+		_id: count &optional;
+
+		## Set internally.
+		_priority: int &default=+0;
+
+		## Set internally. Signifies if the plugin has returned that it has activated succesfully
+		_activated: bool &default=F;
+	};
+
+	# Definition of a plugin.
+	#
+	# Generally a plugin needs to implement only what it can support.  By
+	# returning failure, it indicates that it can't support something and the
+	# the framework will then try another plugin, if available; or inform the
+	# that the operation failed. If a function isn't implemented by a plugin,
+	# that's considered an implicit failure to support the operation.
+	#
+	# If plugin accepts a rule operation, it *must* generate one of the reporting
+	# events ``rule_{added,remove,error}`` to signal if it indeed worked out;
+	# this is separate from accepting the operation because often a plugin
+	# will only know later (i.e., asynchrously) if that was an error for
+	# something it thought it could handle.
+	type Plugin: record {
+		# Returns a descriptive name of the plugin instance, suitable for use in logging
+		# messages. Note that this function is not optional.
+		name: function(state: PluginState) : string;
+
+		## If true, plugin can expire rules itself. If false,
+		## framework will manage rule expiration. 
+		can_expire: bool;
+
+		# One-time initialization function called when plugin gets registered, and
+		# before any other methods are called.
+		#
+		# If this function is provided, NetControl assumes that the plugin has to
+		# perform, potentially lengthy, initialization before the plugin will become
+		# active. In this case, the plugin has to call ``NetControl::plugin_activated``,
+		# once initialization finishes.
+		init: function(state: PluginState) &optional;
+
+		# One-time finalization function called when a plugin is shutdown; no further
+		# functions will be called afterwords.
+		done: function(state: PluginState) &optional;
+
+		# Implements the add_rule() operation. If the plugin accepts the rule,
+		# it returns true, false otherwise. The rule will already have its
+		# ``id`` field set, which the plugin may use for identification
+		# purposes.
+		add_rule: function(state: PluginState, r: Rule) : bool &optional;
+
+		# Implements the remove_rule() operation. This will only be called for
+		# rules that the plugins has previously accepted with add_rule(). The
+		# ``id`` field will match that of the add_rule() call.  Generally,
+		# a plugin that accepts an add_rule() should also accept the
+		# remove_rule().
+		remove_rule: function(state: PluginState, r: Rule) : bool &optional;
+
+		# A transaction groups a number of operations. The plugin can add them internally
+		# and postpone putting them into effect until committed. This allows to build a
+		# configuration of multiple rules at once, including replaying a previous state.
+		transaction_begin: function(state: PluginState) &optional;
+		transaction_end: function(state: PluginState) &optional;
+	};
+
+	# Table for a plugin to store instance-specific configuration information.
+	#
+	# Note, it would be nicer to pass the Plugin instance to all the below, instead
+	# of this state table. However Bro's type resolver has trouble with refering to a
+	# record type from inside itself.
+	redef record PluginState += {
+		## The plugin that the state belongs to. (Defined separately
+                ## because of cyclic type dependency.)
+		plugin: Plugin &optional;
+	};
+
+}
diff --git a/scripts/base/frameworks/netcontrol/plugins/__load__.bro b/scripts/base/frameworks/netcontrol/plugins/__load__.bro
new file mode 100644
index 0000000000..255cee5f69
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/plugins/__load__.bro
@@ -0,0 +1,5 @@
+@load ./debug
+@load ./openflow
+@load ./packetfilter
+@load ./broker
+@load ./acld
diff --git a/scripts/base/frameworks/netcontrol/plugins/acld.bro b/scripts/base/frameworks/netcontrol/plugins/acld.bro
new file mode 100644
index 0000000000..a2f0fa2cc0
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/plugins/acld.bro
@@ -0,0 +1,297 @@
+##! Acld plugin for the netcontrol framework.
+
+module NetControl;
+
+@load ../main
+@load ../plugin
+@load base/frameworks/broker
+
+@ifdef ( Broker::__enable )
+
+export {
+	type AclRule : record {
+		command: string;
+		cookie: count;
+		arg: string;
+		comment: string &optional;
+	};
+
+	type AcldConfig: record {
+		## The acld topic used to send events to
+		acld_topic: string;
+		## Broker host to connect to
+		acld_host: addr;
+		## Broker port to connect to
+		acld_port: port;
+		## Do we accept rules for the monitor path? Default false
+		monitor: bool &default=F;
+		## Do we accept rules for the forward path? Default true
+		forward: bool &default=T;
+
+		## Predicate that is called on rule insertion or removal.
+		##
+		## p: Current plugin state
+		##
+		## r: The rule to be inserted or removed
+		##
+		## Returns: T if the rule can be handled by the current backend, F otherwhise
+		check_pred: function(p: PluginState, r: Rule): bool &optional;
+	};
+
+	## Instantiates the acld plugin.
+	global create_acld: function(config: AcldConfig) : PluginState;
+
+	redef record PluginState += {
+		acld_config: AcldConfig &optional;
+		## The ID of this acld instance - for the mapping to PluginStates
+		acld_id: count &optional;
+	};
+
+	## Hook that is called after a rule is converted to an acld rule.
+	## The hook may modify the rule before it is sent to acld.
+	## Setting the acld command to F will cause the rule to be rejected
+	## by the plugin
+	##
+	## p: Current plugin state
+	##
+	## r: The rule to be inserted or removed
+	##
+	## ar: The acld rule to be inserted or removed
+	global NetControl::acld_rule_policy: hook(p: PluginState, r: Rule, ar: AclRule);
+
+	## Events that are sent from us to Broker
+	global acld_add_rule: event(id: count, r: Rule, ar: AclRule);
+	global acld_remove_rule: event(id: count, r: Rule, ar: AclRule);
+
+	## Events that are sent from Broker to us
+	global acld_rule_added: event(id: count, r: Rule, msg: string);
+	global acld_rule_removed: event(id: count, r: Rule, msg: string);
+	global acld_rule_error: event(id: count, r: Rule, msg: string);
+}
+
+global netcontrol_acld_peers: table[port, string] of PluginState;
+global netcontrol_acld_topics: set[string] = set();
+global netcontrol_acld_id: table[count] of PluginState = table();
+global netcontrol_acld_current_id: count = 0;
+
+const acld_add_to_remove: table[string] of string = {
+	["drop"] = "restore",
+	["whitelist"] = "remwhitelist",
+	["blockhosthost"] = "restorehosthost",
+	["droptcpport"] = "restoretcpport",
+	["dropudpport"] = "restoreudpport",
+	["droptcpdsthostport"] ="restoretcpdsthostport",
+	["dropudpdsthostport"] ="restoreudpdsthostport",
+	["permittcpdsthostport"] ="unpermittcpdsthostport",
+	["permitudpdsthostport"] ="unpermitudpdsthostport",
+	["nullzero"] ="nonullzero"
+};
+
+event NetControl::acld_rule_added(id: count, r: Rule, msg: string)
+	{
+	if ( id !in netcontrol_acld_id )
+		{
+		Reporter::error(fmt("NetControl acld plugin with id %d not found, aborting", id));
+		return;
+		}
+
+	local p = netcontrol_acld_id[id];
+
+	event NetControl::rule_added(r, p, msg);
+	}
+
+event NetControl::acld_rule_removed(id: count, r: Rule, msg: string)
+	{
+	if ( id !in netcontrol_acld_id )
+		{
+		Reporter::error(fmt("NetControl acld plugin with id %d not found, aborting", id));
+		return;
+		}
+
+	local p = netcontrol_acld_id[id];
+
+	event NetControl::rule_removed(r, p, msg);
+	}
+
+event NetControl::acld_rule_error(id: count, r: Rule, msg: string)
+	{
+	if ( id !in netcontrol_acld_id )
+		{
+		Reporter::error(fmt("NetControl acld plugin with id %d not found, aborting", id));
+		return;
+		}
+
+	local p = netcontrol_acld_id[id];
+
+	event NetControl::rule_error(r, p, msg);
+	}
+
+function acld_name(p: PluginState) : string
+	{
+	return fmt("Acld-%s", p$acld_config$acld_topic);
+	}
+
+# check that subnet specifies an addr
+function check_sn(sn: subnet) : bool
+	{
+	if ( is_v4_subnet(sn) && subnet_width(sn) == 32 )
+		return T;
+	if ( is_v6_subnet(sn) && subnet_width(sn) == 128 )
+		return T;
+
+	Reporter::error(fmt("Acld: rule_to_acl_rule was given a subnet that does not specify a distinct address where needed - %s", sn));
+	return F;
+	}
+
+function rule_to_acl_rule(p: PluginState, r: Rule) : AclRule
+	{
+	local e = r$entity;
+
+	local command: string = "";
+	local arg: string = "";
+
+	if ( e$ty == ADDRESS )
+		{
+		if ( r$ty == DROP )
+			command = "drop";
+		else if ( r$ty == WHITELIST )
+			command = "whitelist";
+		arg = cat(e$ip);
+		}
+	else if ( e$ty == FLOW )
+		{
+		local f = e$flow;
+		if ( ( ! f?$src_h ) && ( ! f?$src_p ) && f?$dst_h && f?$dst_p && ( ! f?$src_m ) && ( ! f?$dst_m ) )
+			{
+			if ( !check_sn(f$dst_h) )
+				command = ""; # invalid addr, do nothing
+			else if ( is_tcp_port(f$dst_p) && r$ty == DROP )
+				command = "droptcpdsthostport";
+			else if ( is_tcp_port(f$dst_p) && r$ty == WHITELIST )
+				command = "permittcpdsthostport";
+			else if ( is_udp_port(f$dst_p) && r$ty == DROP)
+				command = "dropucpdsthostport";
+			else if ( is_udp_port(f$dst_p) && r$ty == WHITELIST)
+				command = "permitucpdsthostport";
+
+			arg = fmt("%s %d", subnet_to_addr(f$dst_h), f$dst_p);
+			}
+		else if ( f?$src_h && ( ! f?$src_p ) && f?$dst_h && ( ! f?$dst_p ) && ( ! f?$src_m ) && ( ! f?$dst_m ) )
+			{
+			if ( !check_sn(f$src_h) || !check_sn(f$dst_h) )
+				command = "";
+			else if ( r$ty == DROP )
+				command = "blockhosthost";
+			arg = fmt("%s %s", subnet_to_addr(f$src_h), subnet_to_addr(f$dst_h));
+			}
+		else if ( ( ! f?$src_h ) && ( ! f?$src_p ) && ( ! f?$dst_h ) && f?$dst_p && ( ! f?$src_m ) && ( ! f?$dst_m ) )
+			{
+			if ( is_tcp_port(f$dst_p) && r$ty == DROP )
+				command = "droptcpport";
+			else if ( is_udp_port(f$dst_p) && r$ty == DROP )
+				command = "dropudpport";
+			arg = fmt("%d", f$dst_p);
+			}
+		}
+
+	local ar = AclRule($command=command, $cookie=r$cid, $arg=arg);
+	if ( r?$location )
+		ar$comment = r$location;
+
+	hook NetControl::acld_rule_policy(p, r, ar);
+
+	return ar;
+	}
+
+function acld_check_rule(p: PluginState, r: Rule) : bool
+	{
+	local c = p$acld_config;
+
+	if ( p$acld_config?$check_pred )
+		return p$acld_config$check_pred(p, r);
+
+	if ( r$target == MONITOR && c$monitor )
+		return T;
+
+	if ( r$target == FORWARD && c$forward )
+		return T;
+
+	return F;
+	}
+
+function acld_add_rule_fun(p: PluginState, r: Rule) : bool
+	{
+	if ( ! acld_check_rule(p, r) )
+		return F;
+
+	local ar = rule_to_acl_rule(p, r);
+
+	if ( ar$command == "" )
+		return F;
+
+	Broker::send_event(p$acld_config$acld_topic, Broker::event_args(acld_add_rule, p$acld_id, r, ar));
+	return T;
+	}
+
+function acld_remove_rule_fun(p: PluginState, r: Rule) : bool
+	{
+	if ( ! acld_check_rule(p, r) )
+		return F;
+
+	local ar = rule_to_acl_rule(p, r);
+	if ( ar$command in acld_add_to_remove )
+		ar$command = acld_add_to_remove[ar$command];
+	else
+		return F;
+
+	Broker::send_event(p$acld_config$acld_topic, Broker::event_args(acld_remove_rule, p$acld_id, r, ar));
+	return T;
+	}
+
+function acld_init(p: PluginState)
+	{
+	Broker::enable();
+	Broker::connect(cat(p$acld_config$acld_host), p$acld_config$acld_port, 1sec);
+	Broker::subscribe_to_events(p$acld_config$acld_topic);
+	}
+
+event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
+	{
+	if ( [peer_port, peer_address] !in netcontrol_acld_peers )
+		# ok, this one was none of ours...
+		return;
+
+	local p = netcontrol_acld_peers[peer_port, peer_address];
+	plugin_activated(p);
+	}
+
+global acld_plugin = Plugin(
+	$name=acld_name,
+	$can_expire = F,
+	$add_rule = acld_add_rule_fun,
+	$remove_rule = acld_remove_rule_fun,
+	$init = acld_init
+	);
+
+function create_acld(config: AcldConfig) : PluginState
+	{
+	if ( config$acld_topic in netcontrol_acld_topics )
+		Reporter::warning(fmt("Topic %s was added to NetControl acld plugin twice. Possible duplication of commands", config$acld_topic));
+	else
+		add netcontrol_acld_topics[config$acld_topic];
+
+	local host = cat(config$acld_host);
+	local p: PluginState = [$acld_config=config, $plugin=acld_plugin, $acld_id=netcontrol_acld_current_id];
+
+	if ( [config$acld_port, host] in netcontrol_acld_peers )
+		Reporter::warning(fmt("Peer %s:%s was added to NetControl acld plugin twice.", host, config$acld_port));
+	else
+		netcontrol_acld_peers[config$acld_port, host] = p;
+
+	netcontrol_acld_id[netcontrol_acld_current_id] = p;
+	++netcontrol_acld_current_id;
+
+	return p;
+	}
+
+@endif
diff --git a/scripts/base/frameworks/netcontrol/plugins/broker.bro b/scripts/base/frameworks/netcontrol/plugins/broker.bro
new file mode 100644
index 0000000000..0687d70f82
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/plugins/broker.bro
@@ -0,0 +1,167 @@
+##! Broker plugin for the netcontrol framework. Sends the raw data structures
+##! used in NetControl on to Broker to allow for easy handling, e.g., of
+##! command-line scripts.
+
+module NetControl;
+
+@load ../main
+@load ../plugin
+@load base/frameworks/broker
+
+@ifdef ( Broker::__enable )
+
+export {
+	## Instantiates the broker plugin.
+	global create_broker: function(host: addr, host_port: port, topic: string, can_expire: bool &default=F) : PluginState;
+
+	redef record PluginState += {
+		## The broker topic used to send events to
+		broker_topic: string &optional;
+		## The ID of this broker instance - for the mapping to PluginStates
+		broker_id: count &optional;
+		## Broker host to connect to
+		broker_host: addr &optional;
+		## Broker port to connect to
+		broker_port: port &optional;
+	};
+
+	global broker_add_rule: event(id: count, r: Rule);
+	global broker_remove_rule: event(id: count, r: Rule);
+
+	global broker_rule_added: event(id: count, r: Rule, msg: string);
+	global broker_rule_removed: event(id: count, r: Rule, msg: string);
+	global broker_rule_error: event(id: count, r: Rule, msg: string);
+	global broker_rule_timeout: event(id: count, r: Rule, i: FlowInfo);
+}
+
+global netcontrol_broker_peers: table[port, string] of PluginState;
+global netcontrol_broker_topics: set[string] = set();
+global netcontrol_broker_id: table[count] of PluginState = table();
+global netcontrol_broker_current_id: count = 0;
+
+event NetControl::broker_rule_added(id: count, r: Rule, msg: string)
+	{
+	if ( id !in netcontrol_broker_id )
+		{
+		Reporter::error(fmt("NetControl broker plugin with id %d not found, aborting", id));
+		return;
+		}
+
+	local p = netcontrol_broker_id[id];
+
+	event NetControl::rule_added(r, p, msg);
+	}
+
+event NetControl::broker_rule_removed(id: count, r: Rule, msg: string)
+	{
+	if ( id !in netcontrol_broker_id )
+		{
+		Reporter::error(fmt("NetControl broker plugin with id %d not found, aborting", id));
+		return;
+		}
+
+	local p = netcontrol_broker_id[id];
+
+	event NetControl::rule_removed(r, p, msg);
+	}
+
+event NetControl::broker_rule_error(id: count, r: Rule, msg: string)
+	{
+	if ( id !in netcontrol_broker_id )
+		{
+		Reporter::error(fmt("NetControl broker plugin with id %d not found, aborting", id));
+		return;
+		}
+
+	local p = netcontrol_broker_id[id];
+
+	event NetControl::rule_error(r, p, msg);
+	}
+
+event NetControl::broker_rule_timeout(id: count, r: Rule, i: FlowInfo)
+	{
+	if ( id !in netcontrol_broker_id )
+		{
+		Reporter::error(fmt("NetControl broker plugin with id %d not found, aborting", id));
+		return;
+		}
+
+	local p = netcontrol_broker_id[id];
+
+	event NetControl::rule_timeout(r, i, p);
+	}
+
+function broker_name(p: PluginState) : string
+	{
+	return fmt("Broker-%s", p$broker_topic);
+	}
+
+function broker_add_rule_fun(p: PluginState, r: Rule) : bool
+	{
+	Broker::send_event(p$broker_topic, Broker::event_args(broker_add_rule, p$broker_id, r));
+	return T;
+	}
+
+function broker_remove_rule_fun(p: PluginState, r: Rule) : bool
+	{
+	Broker::send_event(p$broker_topic, Broker::event_args(broker_remove_rule, p$broker_id, r));
+	return T;
+	}
+
+function broker_init(p: PluginState)
+	{
+	Broker::enable();
+	Broker::connect(cat(p$broker_host), p$broker_port, 1sec);
+	Broker::subscribe_to_events(p$broker_topic);
+	}
+
+event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
+	{
+	if ( [peer_port, peer_address] !in netcontrol_broker_peers )
+		return;
+
+	local p = netcontrol_broker_peers[peer_port, peer_address];
+	plugin_activated(p);
+	}
+
+global broker_plugin = Plugin(
+	$name=broker_name,
+	$can_expire = F,
+	$add_rule = broker_add_rule_fun,
+	$remove_rule = broker_remove_rule_fun,
+	$init = broker_init
+	);
+
+global broker_plugin_can_expire = Plugin(
+	$name=broker_name,
+	$can_expire = T,
+	$add_rule = broker_add_rule_fun,
+	$remove_rule = broker_remove_rule_fun,
+	$init = broker_init
+	);
+
+function create_broker(host: addr, host_port: port, topic: string, can_expire: bool &default=F) : PluginState
+	{
+	if ( topic in netcontrol_broker_topics )
+		Reporter::warning(fmt("Topic %s was added to NetControl broker plugin twice. Possible duplication of commands", topic));
+	else
+		add netcontrol_broker_topics[topic];
+
+	local plugin = broker_plugin;
+	if ( can_expire )
+		plugin = broker_plugin_can_expire;
+
+	local p: PluginState = [$broker_host=host, $broker_port=host_port, $plugin=plugin, $broker_topic=topic, $broker_id=netcontrol_broker_current_id];
+
+	if ( [host_port, cat(host)] in netcontrol_broker_peers )
+		Reporter::warning(fmt("Peer %s:%s was added to NetControl broker plugin twice.", host, host_port));
+	else
+		netcontrol_broker_peers[host_port, cat(host)] = p;
+
+	netcontrol_broker_id[netcontrol_broker_current_id] = p;
+	++netcontrol_broker_current_id;
+
+	return p;
+	}
+
+@endif
diff --git a/scripts/base/frameworks/netcontrol/plugins/debug.bro b/scripts/base/frameworks/netcontrol/plugins/debug.bro
new file mode 100644
index 0000000000..a26a151400
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/plugins/debug.bro
@@ -0,0 +1,99 @@
+##! Debugging plugin for the NetControl framework, providing insight into
+##! executed operations.
+
+@load ../plugin
+@load ../main
+
+module NetControl;
+
+export {
+	## Instantiates a debug plugin for the NetControl framework. The debug
+	## plugin simply logs the operations it receives.
+	##
+	## do_something: If true, the plugin will claim it supports all operations; if
+	##               false, it will indicate it doesn't support any.
+	global create_debug: function(do_something: bool) : PluginState;
+}
+
+function do_something(p: PluginState) : bool
+	{
+	return p$config["all"] == "1";
+	}
+
+function debug_name(p: PluginState) : string
+	{
+	return fmt("Debug-%s", (do_something(p) ? "All" : "None"));
+	}
+
+function debug_log(p: PluginState, msg: string)
+	{
+	print fmt("netcontrol debug (%s): %s", debug_name(p), msg);
+	}
+
+function debug_init(p: PluginState)
+	{
+	debug_log(p, "init");
+	plugin_activated(p);
+	}
+
+function debug_done(p: PluginState)
+	{
+	debug_log(p, "init");
+	}
+
+function debug_add_rule(p: PluginState, r: Rule) : bool
+	{
+	local s = fmt("add_rule: %s", r);
+	debug_log(p, s);
+
+	if ( do_something(p) ) 
+		{
+		event NetControl::rule_added(r, p);
+		return T;
+		}
+
+	return F;
+	}
+
+function debug_remove_rule(p: PluginState, r: Rule) : bool
+	{
+	local s = fmt("remove_rule: %s", r);
+	debug_log(p, s);
+
+	event NetControl::rule_removed(r, p);
+	return T;
+	}
+
+function debug_transaction_begin(p: PluginState)
+	{
+	debug_log(p, "transaction_begin");
+	}
+
+function debug_transaction_end(p: PluginState)
+	{
+	debug_log(p, "transaction_end");
+	}
+
+global debug_plugin = Plugin(
+	$name=debug_name,
+	$can_expire = F,
+	$init = debug_init,
+	$done = debug_done,
+	$add_rule = debug_add_rule,
+	$remove_rule = debug_remove_rule,
+	$transaction_begin = debug_transaction_begin,
+	$transaction_end = debug_transaction_end
+	);
+
+function create_debug(do_something: bool) : PluginState
+	{
+	local p: PluginState = [$plugin=debug_plugin];
+	
+	# FIXME: Why's the default not working?
+	p$config = table();
+	p$config["all"] = (do_something ? "1" : "0");
+
+	return p;
+	}
+
+
diff --git a/scripts/base/frameworks/netcontrol/plugins/openflow.bro b/scripts/base/frameworks/netcontrol/plugins/openflow.bro
new file mode 100644
index 0000000000..44a8bb2f1a
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/plugins/openflow.bro
@@ -0,0 +1,432 @@
+##! OpenFlow plugin for the NetControl framework.
+
+@load ../main
+@load ../plugin
+@load base/frameworks/openflow
+
+module NetControl;
+
+export {
+	type OfConfig: record {
+		monitor: bool &default=T;
+		forward: bool &default=T;
+		idle_timeout: count &default=0;
+		table_id: count &optional;
+		priority_offset: int &default=+0; ##< add this to all rule priorities. Can be useful if you want the openflow priorities be offset from the netcontrol priorities without having to write a filter function.
+
+		## Predicate that is called on rule insertion or removal.
+		##
+		## p: Current plugin state
+		##
+		## r: The rule to be inserted or removed
+		##
+		## Returns: T if the rule can be handled by the current backend, F otherwhise
+		check_pred: function(p: PluginState, r: Rule): bool &optional;
+		match_pred: function(p: PluginState, e: Entity, m: vector of OpenFlow::ofp_match): vector of OpenFlow::ofp_match &optional;
+		flow_mod_pred: function(p: PluginState, r: Rule, m: OpenFlow::ofp_flow_mod): OpenFlow::ofp_flow_mod &optional;
+	};
+
+	redef record PluginState += {
+		## OpenFlow controller for NetControl OpenFlow plugin
+		of_controller: OpenFlow::Controller &optional;
+		## OpenFlow configuration record that is passed on initialization
+		of_config: OfConfig &optional;
+	};
+
+	type OfTable: record {
+		p: PluginState;
+		r: Rule;
+		c: count &default=0; # how many replies did we see so far? needed for ids where we have multiple rules...
+		packet_count: count &default=0;
+		byte_count: count &default=0;
+		duration_sec: double &default=0.0;
+	};
+
+	## the time interval after which an openflow message is considered to be timed out
+	## and we delete it from our internal tracking.
+	const openflow_message_timeout = 20secs &redef;
+
+	## the time interval after we consider a flow timed out. This should be fairly high (or
+	## even disabled) if you expect a lot of long flows. However, one also will have state
+	## buildup for quite a while if keeping this around...
+	const openflow_flow_timeout = 24hrs &redef;
+
+	## Instantiates an openflow plugin for the NetControl framework.
+	global create_openflow: function(controller: OpenFlow::Controller, config: OfConfig &default=[]) : PluginState;
+}
+
+global of_messages: table[count, OpenFlow::ofp_flow_mod_command] of OfTable &create_expire=openflow_message_timeout
+	&expire_func=function(t: table[count, OpenFlow::ofp_flow_mod_command] of OfTable, idx: any): interval
+		{
+		local rid: count;
+		local command: OpenFlow::ofp_flow_mod_command;
+		[rid, command] = idx;
+
+		local p = t[rid, command]$p;
+		local r = t[rid, command]$r;
+		event NetControl::rule_error(r, p, "Timeout during rule insertion/removal");
+		return 0secs;
+		};
+
+global of_flows: table[count] of OfTable &create_expire=openflow_flow_timeout;
+global of_instances: table[string] of PluginState;
+
+function openflow_name(p: PluginState) : string
+	{
+	return fmt("Openflow-%s", p$of_controller$describe(p$of_controller$state));
+	}
+
+function openflow_check_rule(p: PluginState, r: Rule) : bool
+	{
+	local c = p$of_config;
+
+	if ( p$of_config?$check_pred )
+		return p$of_config$check_pred(p, r);
+
+	if ( r$target == MONITOR && c$monitor )
+		return T;
+
+	if ( r$target == FORWARD && c$forward )
+		return T;
+
+	return F;
+	}
+
+function openflow_match_pred(p: PluginState, e: Entity, m: vector of OpenFlow::ofp_match) : vector of OpenFlow::ofp_match
+	{
+	if ( p$of_config?$match_pred )
+		return p$of_config$match_pred(p, e, m);
+
+	return m;
+	}
+
+function openflow_flow_mod_pred(p: PluginState, r: Rule, m: OpenFlow::ofp_flow_mod): OpenFlow::ofp_flow_mod
+	{
+	if ( p$of_config?$flow_mod_pred )
+		return p$of_config$flow_mod_pred(p, r, m);
+
+	return m;
+	}
+
+function determine_dl_type(s: subnet): count
+	{
+	local pdl = OpenFlow::ETH_IPv4;
+	if ( is_v6_subnet(s) )
+		pdl = OpenFlow::ETH_IPv6;
+
+	return pdl;
+	}
+
+function determine_proto(p: port): count
+	{
+	local proto = OpenFlow::IP_TCP;
+	if ( is_udp_port(p) )
+		proto = OpenFlow::IP_UDP;
+	else if ( is_icmp_port(p) )
+		proto = OpenFlow::IP_ICMP;
+
+	return proto;
+	}
+
+function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_match
+	{
+	local v : vector of OpenFlow::ofp_match = vector();
+
+	if ( e$ty == CONNECTION )
+		{
+		v[|v|] = OpenFlow::match_conn(e$conn); # forward and...
+		v[|v|] = OpenFlow::match_conn(e$conn, T); # reverse
+		return openflow_match_pred(p, e, v);
+		}
+
+	if ( e$ty == MAC )
+		{
+		v[|v|] = OpenFlow::ofp_match(
+			$dl_src=e$mac
+		);
+		v[|v|] = OpenFlow::ofp_match(
+			$dl_dst=e$mac
+		);
+
+		return openflow_match_pred(p, e, v);
+		}
+
+	local dl_type = OpenFlow::ETH_IPv4;
+
+	if ( e$ty == ADDRESS )
+		{
+		if ( is_v6_subnet(e$ip) )
+			dl_type = OpenFlow::ETH_IPv6;
+
+		v[|v|] = OpenFlow::ofp_match(
+			$dl_type=dl_type,
+			$nw_src=e$ip
+		);
+
+		v[|v|] = OpenFlow::ofp_match(
+			$dl_type=dl_type,
+			$nw_dst=e$ip
+		);
+
+		return openflow_match_pred(p, e, v);
+		}
+
+	local proto = OpenFlow::IP_TCP;
+
+	if ( e$ty == FLOW )
+		{
+		local m = OpenFlow::ofp_match();
+		local f = e$flow;
+
+		if ( f?$src_m )
+			m$dl_src=f$src_m;
+		if ( f?$dst_m )
+			m$dl_dst=f$dst_m;
+
+		if ( f?$src_h )
+			{
+			m$dl_type = determine_dl_type(f$src_h);
+			m$nw_src = f$src_h;
+			}
+
+		if ( f?$dst_h )
+			{
+			m$dl_type = determine_dl_type(f$dst_h);
+			m$nw_dst = f$dst_h;
+			}
+
+		if ( f?$src_p )
+			{
+			m$nw_proto = determine_proto(f$src_p);
+			m$tp_src = port_to_count(f$src_p);
+			}
+
+		if ( f?$dst_p )
+			{
+			m$nw_proto = determine_proto(f$dst_p);
+			m$tp_dst = port_to_count(f$dst_p);
+			}
+
+		v[|v|] = m;
+
+		return openflow_match_pred(p, e, v);
+		}
+
+	Reporter::error(fmt("Entity type %s not supported for openflow yet", cat(e$ty)));
+	return openflow_match_pred(p, e, v);
+	}
+
+function openflow_rule_to_flow_mod(p: PluginState, r: Rule) : OpenFlow::ofp_flow_mod
+	{
+	local c = p$of_config;
+
+	local flow_mod = OpenFlow::ofp_flow_mod(
+		$cookie=OpenFlow::generate_cookie(r$cid*2), # leave one space for the cases in which we need two rules.
+		$command=OpenFlow::OFPFC_ADD,
+		$idle_timeout=c$idle_timeout,
+		$priority=int_to_count(r$priority + c$priority_offset),
+		$flags=OpenFlow::OFPFF_SEND_FLOW_REM # please notify us when flows are removed
+	);
+
+	if ( r?$expire )
+		flow_mod$hard_timeout = double_to_count(interval_to_double(r$expire));
+	if ( c?$table_id )
+		flow_mod$table_id = c$table_id;
+
+	if ( r$ty == DROP )
+		{
+		# default, nothing to do. We simply do not add an output port to the rule...
+		}
+	else if ( r$ty == WHITELIST )
+		{
+		# at the moment our interpretation of whitelist is to hand this off to the switches L2/L3 routing.
+		flow_mod$actions$out_ports = vector(OpenFlow::OFPP_NORMAL);
+		}
+	else if ( r$ty == MODIFY )
+		{
+		# if no ports are given, just assume normal pipeline...
+		flow_mod$actions$out_ports = vector(OpenFlow::OFPP_NORMAL);
+
+		local mod = r$mod;
+		if ( mod?$redirect_port )
+			flow_mod$actions$out_ports = vector(mod$redirect_port);
+
+		if ( mod?$src_h )
+			flow_mod$actions$nw_src = mod$src_h;
+		if ( mod?$dst_h )
+			flow_mod$actions$nw_dst = mod$dst_h;
+		if ( mod?$src_m )
+			flow_mod$actions$dl_src = mod$src_m;
+		if ( mod?$dst_m )
+			flow_mod$actions$dl_dst = mod$dst_m;
+		if ( mod?$src_p )
+			flow_mod$actions$tp_src = mod$src_p;
+		if ( mod?$dst_p )
+			flow_mod$actions$tp_dst = mod$dst_p;
+		}
+	else if ( r$ty == REDIRECT )
+		{
+		# redirect to port c
+		flow_mod$actions$out_ports = vector(r$out_port);
+		}
+	else
+		{
+		Reporter::error(fmt("Rule type %s not supported for openflow yet", cat(r$ty)));
+		}
+
+	return openflow_flow_mod_pred(p, r, flow_mod);
+	}
+
+function openflow_add_rule(p: PluginState, r: Rule) : bool
+	{
+	if ( ! openflow_check_rule(p, r) )
+		return F;
+
+	local flow_mod = openflow_rule_to_flow_mod(p, r);
+	local matches = entity_to_match(p, r$entity);
+
+	for ( i in matches )
+		{
+		if ( OpenFlow::flow_mod(p$of_controller, matches[i], flow_mod) )
+			{
+			of_messages[r$cid, flow_mod$command] = OfTable($p=p, $r=r);
+			flow_mod = copy(flow_mod);
+			++flow_mod$cookie;
+			}
+		else
+			event rule_error(r, p, "Error while executing OpenFlow::flow_mod");
+		}
+
+	return T;
+	}
+
+function openflow_remove_rule(p: PluginState, r: Rule) : bool
+	{
+	if ( ! openflow_check_rule(p, r) )
+		return F;
+
+	local flow_mod: OpenFlow::ofp_flow_mod = [
+		$cookie=OpenFlow::generate_cookie(r$cid*2),
+		$command=OpenFlow::OFPFC_DELETE
+	];
+
+	if ( OpenFlow::flow_mod(p$of_controller, [], flow_mod) )
+			of_messages[r$cid, flow_mod$command] = OfTable($p=p, $r=r);
+	else
+			{
+			event rule_error(r, p, "Error while executing OpenFlow::flow_mod");
+			return F;
+			}
+
+	# if this was an address or mac match, we also need to remove the reverse
+	if ( r$entity$ty == ADDRESS || r$entity$ty == MAC )
+		{
+		local flow_mod_2 = copy(flow_mod);
+		++flow_mod_2$cookie;
+		OpenFlow::flow_mod(p$of_controller, [], flow_mod_2);
+		}
+
+	return T;
+	}
+
+event OpenFlow::flow_mod_success(name: string, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod, msg: string) &priority=3
+	{
+	local id = OpenFlow::get_cookie_uid(flow_mod$cookie)/2;
+	if ( [id, flow_mod$command] !in of_messages )
+		return;
+
+	local r = of_messages[id,flow_mod$command]$r;
+	local p = of_messages[id,flow_mod$command]$p;
+	local c = of_messages[id,flow_mod$command]$c;
+
+	if ( r$entity$ty == ADDRESS || r$entity$ty == MAC )
+		{
+		++of_messages[id,flow_mod$command]$c;
+		if ( of_messages[id,flow_mod$command]$c < 2 )
+			return; # will do stuff once the second part arrives...
+		}
+
+	delete of_messages[id,flow_mod$command];
+
+	if ( p$of_controller$supports_flow_removed )
+		of_flows[id] = OfTable($p=p, $r=r);
+
+	if ( flow_mod$command == OpenFlow::OFPFC_ADD )
+		event NetControl::rule_added(r, p, msg);
+	else if ( flow_mod$command == OpenFlow::OFPFC_DELETE || flow_mod$command == OpenFlow::OFPFC_DELETE_STRICT )
+		event NetControl::rule_removed(r, p, msg);
+	}
+
+event OpenFlow::flow_mod_failure(name: string, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod, msg: string) &priority=3
+	{
+	local id = OpenFlow::get_cookie_uid(flow_mod$cookie)/2;
+	if ( [id, flow_mod$command] !in of_messages )
+		return;
+
+	local r = of_messages[id,flow_mod$command]$r;
+	local p = of_messages[id,flow_mod$command]$p;
+	delete of_messages[id,flow_mod$command];
+
+	event NetControl::rule_error(r, p, msg);
+	}
+
+event OpenFlow::flow_removed(name: string, match: OpenFlow::ofp_match, cookie: count, priority: count, reason: count, duration_sec: count, idle_timeout: count, packet_count: count, byte_count: count)
+	{
+	local id = OpenFlow::get_cookie_uid(cookie)/2;
+	if ( id !in of_flows )
+		return;
+
+	local rec = of_flows[id];
+	local r = rec$r;
+	local p = rec$p;
+
+	if ( r$entity$ty == ADDRESS || r$entity$ty == MAC )
+		{
+		++of_flows[id]$c;
+		if ( of_flows[id]$c < 2 )
+			return; # will do stuff once the second part arrives...
+		else
+			event NetControl::rule_timeout(r, FlowInfo($duration=double_to_interval((rec$duration_sec+duration_sec)/2), $packet_count=packet_count+rec$packet_count, $byte_count=byte_count+rec$byte_count), p);
+
+		return;
+		}
+
+	event NetControl::rule_timeout(r, FlowInfo($duration=double_to_interval(duration_sec+0.0), $packet_count=packet_count, $byte_count=byte_count), p);
+	}
+
+function openflow_init(p: PluginState)
+	{
+	local name = p$of_controller$state$_name;
+	if ( name in of_instances )
+		Reporter::error(fmt("OpenFlow instance %s added to NetControl twice.", name));
+
+	of_instances[name] = p;
+
+	# let's check, if our OpenFlow controller is already active. If not, we have to wait for it to become active.
+	if ( p$of_controller$state$_activated )
+		plugin_activated(p);
+	}
+
+event OpenFlow::controller_activated(name: string, controller: OpenFlow::Controller)
+	{
+	if ( name in of_instances )
+		plugin_activated(of_instances[name]);
+	}
+
+global openflow_plugin = Plugin(
+	$name=openflow_name,
+	$can_expire = T,
+	$init = openflow_init,
+#	$done = openflow_done,
+	$add_rule = openflow_add_rule,
+	$remove_rule = openflow_remove_rule
+#	$transaction_begin = openflow_transaction_begin,
+#	$transaction_end = openflow_transaction_end
+	);
+
+function create_openflow(controller: OpenFlow::Controller, config: OfConfig &default=[]) : PluginState
+	{
+	local p: PluginState = [$plugin=openflow_plugin, $of_controller=controller, $of_config=config];
+
+	return p;
+	}
diff --git a/scripts/base/frameworks/netcontrol/plugins/packetfilter.bro b/scripts/base/frameworks/netcontrol/plugins/packetfilter.bro
new file mode 100644
index 0000000000..437c08eb73
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/plugins/packetfilter.bro
@@ -0,0 +1,113 @@
+##! NetControl plugin for the process-level PacketFilter that comes with
+##! Bro. Since the PacketFilter in Bro is quite limited in scope
+##! and can only add/remove filters for addresses, this is quite
+##! limited in scope at the moment. 
+
+module NetControl;
+
+@load ../plugin
+
+export {
+	## Instantiates the packetfilter plugin.
+	global create_packetfilter: function() : PluginState;
+}
+
+# Check if we can handle this rule. If it specifies ports or
+# anything Bro cannot handle, simply ignore it for now.
+function packetfilter_check_rule(r: Rule) : bool
+	{
+	if ( r$ty != DROP )
+		return F;
+
+	if ( r$target != MONITOR )
+		return F;
+
+	local e = r$entity;
+	if ( e$ty == ADDRESS )
+		return T;
+
+	if ( e$ty != FLOW ) # everything else requires ports or MAC stuff
+		return F;
+
+	if ( e$flow?$src_p || e$flow?$dst_p || e$flow?$src_m || e$flow?$dst_m )
+		return F;
+
+	return T;
+	}
+
+
+function packetfilter_add_rule(p: PluginState, r: Rule) : bool
+	{
+	if ( ! packetfilter_check_rule(r) )
+		return F;
+
+	local e = r$entity;
+	if ( e$ty == ADDRESS )
+		{
+		install_src_net_filter(e$ip, 0, 1.0);
+		install_dst_net_filter(e$ip, 0, 1.0);
+		return T;
+		}
+
+	if ( e$ty == FLOW )
+		{
+		local f = e$flow;
+		if ( f?$src_h )
+			install_src_net_filter(f$src_h, 0, 1.0);
+		if ( f?$dst_h )
+			install_dst_net_filter(f$dst_h, 0, 1.0);
+
+		return T;
+		}
+
+	return F;
+	}
+
+function packetfilter_remove_rule(p: PluginState, r: Rule) : bool
+	{
+	if ( ! packetfilter_check_rule(r) )
+		return F;
+
+	local e = r$entity;
+	if ( e$ty == ADDRESS )
+		{
+		uninstall_src_net_filter(e$ip);
+		uninstall_dst_net_filter(e$ip);
+		return T;
+		}
+
+	if ( e$ty == FLOW )
+		{
+		local f = e$flow;
+		if ( f?$src_h )
+			uninstall_src_net_filter(f$src_h);
+		if ( f?$dst_h )
+			uninstall_dst_net_filter(f$dst_h);
+
+		return T;
+		}
+
+	return F;
+	}
+
+function packetfilter_name(p: PluginState) : string
+	{
+	return "Packetfilter";
+	}
+
+global packetfilter_plugin = Plugin(
+	$name=packetfilter_name,
+	$can_expire = F,
+#	$init = packetfilter_init,
+#	$done = packetfilter_done,
+	$add_rule = packetfilter_add_rule,
+	$remove_rule = packetfilter_remove_rule
+	);
+
+function create_packetfilter() : PluginState
+	{
+	local p: PluginState = [$plugin=packetfilter_plugin];
+
+	return p;
+	}
+
diff --git a/scripts/base/frameworks/netcontrol/shunt.bro b/scripts/base/frameworks/netcontrol/shunt.bro
new file mode 100644
index 0000000000..e1a5715582
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/shunt.bro
@@ -0,0 +1,69 @@
+##! Implementation of the shunt functionality for NetControl.
+
+module NetControl;
+
+@load ./main
+
+export {
+	redef enum Log::ID += { SHUNT };
+
+	## Stops forwarding a uni-directional flow's packets to Bro.
+	##
+	## f: The flow to shunt.
+	##
+	## t: How long to leave the shunt in place, with 0 being indefinitly.
+	##
+	## location: An optional string describing where the shunt was triggered.
+	##
+	## Returns: The id of the inserted rule on succes and zero on failure.
+	global shunt_flow: function(f: flow_id, t: interval, location: string &default="") : string;
+
+	type ShuntInfo: record {
+		## Time at which the recorded activity occurred.
+		ts: time &log;
+		## ID of the rule; unique during each Bro run
+		rule_id: string  &log;
+		## Flow ID of the shunted flow
+		f: flow_id &log;
+		## Expiry time of the shunt
+		expire: interval &log;
+		## Location where the underlying action was triggered.
+		location: string &log &optional;
+	};
+
+	## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
+	## record as it is sent on to the logging framework.
+	global log_netcontrol_shunt: event(rec: ShuntInfo);
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(NetControl::SHUNT, [$columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt"]);
+	}
+
+function shunt_flow(f: flow_id, t: interval, location: string &default="") : string
+	{
+	local flow = NetControl::Flow(
+		$src_h=addr_to_subnet(f$src_h),
+		$src_p=f$src_p,
+		$dst_h=addr_to_subnet(f$dst_h),
+		$dst_p=f$dst_p
+	);
+	local e: Entity = [$ty=FLOW, $flow=flow];
+	local r: Rule = [$ty=DROP, $target=MONITOR, $entity=e, $expire=t, $location=location];
+
+	local id = add_rule(r);
+
+	# Error should already be logged
+	if ( id == "" )
+		return id;
+
+	local log = ShuntInfo($ts=network_time(), $rule_id=id, $f=f, $expire=t);
+	if ( location != "" )
+		log$location=location;
+
+	Log::write(SHUNT, log);
+
+	return id;
+	}
+
diff --git a/scripts/base/frameworks/netcontrol/types.bro b/scripts/base/frameworks/netcontrol/types.bro
new file mode 100644
index 0000000000..3147420c99
--- /dev/null
+++ b/scripts/base/frameworks/netcontrol/types.bro
@@ -0,0 +1,109 @@
+##! Types used by the NetControl framework.
+
+module NetControl;
+
+export {
+	const default_priority: int = +0 &redef;
+	const whitelist_priority: int = +5 &redef;
+
+	## Type of a :bro:id:`Entity` for defining an action.
+	type EntityType: enum {
+		ADDRESS,	##< Activity involving a specific IP address.
+		CONNECTION,	##< All of a bi-directional connection's activity.
+		FLOW,		##< All of a uni-directional flow's activity. Can contain wildcards.
+		MAC,		##< Activity involving a MAC address.
+	};
+
+	## Type for defining a flow.
+	type Flow: record {
+		src_h: subnet &optional;	##< The source IP address/subnet.
+		src_p: port &optional;	##< The source port number.
+		dst_h: subnet &optional;	##< The destination IP address/subnet.
+		dst_p: port &optional;	##< The desintation port number.
+		src_m: string &optional;	##< The source MAC address.
+		dst_m: string &optional;	##< The destination MAC address.
+	};
+
+	## Type defining the enity an :bro:id:`Rule` is operating on.
+	type Entity: record {
+		ty: EntityType;			##< Type of entity.
+		conn: conn_id &optional;	##< Used with :bro:enum:`NetControl::CONNECTION`.
+		flow: Flow &optional;	##< Used with :bro:enum:`NetControl::FLOW`.
+		ip: subnet &optional;		##< Used with :bro:enum:`NetControl::ADDRESS` to specifiy a CIDR subnet.
+		mac: string &optional;		##< Used with :bro:enum:`NetControl::MAC`.
+	};
+
+	## Target of :bro:id:`Rule` action.
+	type TargetType: enum {
+		FORWARD,	#< Apply rule actively to traffic on forwarding path.
+		MONITOR,	#< Apply rule passively to traffic sent to Bro for monitoring.
+	};
+
+	## Type of rules that the framework supports. Each type lists the
+	## :bro:id:`Rule` argument(s) it uses, if any.
+	##
+	## Plugins may extend this type to define their own.
+	type RuleType: enum {
+		## Stop forwarding all packets matching entity.
+		##
+		## No arguments.
+		DROP,
+
+		## Begin modifying all packets matching entity.
+		##
+		## .. todo::
+		##	Define arguments.
+		MODIFY,
+
+		## Begin redirecting all packets matching entity.
+		##
+		## .. todo::
+		##	c: output port to redirect traffic to.
+		REDIRECT,
+
+		## Whitelists all packets of an entity, meaning no restrictions will be applied.
+		## While whitelisting is the default if no rule matches an this can type can be
+		## used to override lower-priority rules that would otherwise take effect for the
+		## entity.
+		WHITELIST,
+	};
+
+	## Type for defining a flow modification action.
+	type FlowMod: record {
+		src_h: addr &optional;	##< The source IP address.
+		src_p: count &optional;	##< The source port number.
+		dst_h: addr &optional;	##< The destination IP address.
+		dst_p: count &optional;	##< The desintation port number.
+		src_m: string &optional;	##< The source MAC address.
+		dst_m: string &optional;	##< The destination MAC address.
+		redirect_port: count &optional;
+	};
+
+	## A rule for the framework to put in place. Of all rules currently in
+	## place, the first match will be taken, sorted by priority. All
+	## further rules will be ignored.
+	type Rule: record {
+		ty: RuleType;			##< Type of rule.
+		target: TargetType;		##< Where to apply rule.
+		entity: Entity;			##< Entity to apply rule to.
+		expire: interval &optional;	##< Timeout after which to expire the rule.
+		priority: int &default=default_priority;	##< Priority if multiple rules match an entity (larger value is higher priority).
+		location: string &optional;	##< Optional string describing where/what installed the rule.
+
+		out_port: count &optional;		##< Argument for :bro:enum:`NetControl::REDIRECT` rules.
+		mod: FlowMod &optional; ##< Argument for :bro:enum:`NetControl::MODIFY` rules.
+
+		id: string &default="";		##< Internally determined unique ID for this rule. Will be set when added.
+		cid: count &default=0;		##< Internally determined unique numeric ID for this rule. Set when added.
+	};
+
+	## Information of a flow that can be provided by switches when the flow times out.
+	## Currently this is heavily influenced by the data that OpenFlow returns by default.
+	## That being said - their design makes sense and this is probably the data one
+	## can expect to be available.
+	type FlowInfo: record {
+		duration: interval &optional; ##< total duration of the rule
+		packet_count: count &optional; ##< number of packets exchanged over connections matched by the rule
+		byte_count: count &optional; ##< total bytes exchanged over connections matched by the rule
+	};
+}
diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro
index 2418b499e5..a203f6a772 100644
--- a/scripts/base/frameworks/notice/main.bro
+++ b/scripts/base/frameworks/notice/main.bro
@@ -44,6 +44,7 @@ export {
 		ACTION_ALARM,
 	};
 
+	## Type that represents a set of actions.
 	type ActionSet: set[Notice::Action];
 
 	## The notice framework is able to do automatic notice suppression by
@@ -52,6 +53,7 @@ export {
 	## suppression.
 	const default_suppression_interval = 1hrs &redef;
 
+	## The record type that is used for representing and logging notices.
 	type Info: record {
 		## An absolute time indicating when the notice occurred,
 		## defaults to the current network time.
diff --git a/scripts/base/frameworks/openflow/__load__.bro b/scripts/base/frameworks/openflow/__load__.bro
new file mode 100644
index 0000000000..bd9128b5aa
--- /dev/null
+++ b/scripts/base/frameworks/openflow/__load__.bro
@@ -0,0 +1,13 @@
+@load ./consts
+@load ./types
+@load ./main
+@load ./plugins
+
+# The cluster framework must be loaded first.
+@load base/frameworks/cluster
+
+@if ( Cluster::is_enabled() )
+@load ./cluster
+@else
+@load ./non-cluster
+@endif
diff --git a/scripts/base/frameworks/openflow/cluster.bro b/scripts/base/frameworks/openflow/cluster.bro
new file mode 100644
index 0000000000..28de1db3c3
--- /dev/null
+++ b/scripts/base/frameworks/openflow/cluster.bro
@@ -0,0 +1,120 @@
+##! Cluster support for the OpenFlow framework.
+
+@load ./main
+@load base/frameworks/cluster
+
+module OpenFlow;
+
+export {
+	## This is the event used to transport flow_mod messages to the manager.
+	global cluster_flow_mod: event(name: string, match: ofp_match, flow_mod: ofp_flow_mod);
+
+	## This is the event used to transport flow_clear messages to the manager.
+	global cluster_flow_clear: event(name: string);
+}
+
+## Workers need ability to forward commands to manager.
+redef Cluster::worker2manager_events += /OpenFlow::cluster_flow_(mod|clear)/;
+
+# the flow_mod function wrapper
+function flow_mod(controller: Controller, match: ofp_match, flow_mod: ofp_flow_mod): bool
+	{
+	if ( ! controller?$flow_mod )
+		return F;
+
+	if ( Cluster::local_node_type() == Cluster::MANAGER )
+		return controller$flow_mod(controller$state, match, flow_mod);
+	else
+		event OpenFlow::cluster_flow_mod(controller$state$_name, match, flow_mod);
+
+	return T;
+	}
+
+function flow_clear(controller: Controller): bool
+	{
+	if ( ! controller?$flow_clear )
+		return F;
+
+	if ( Cluster::local_node_type() == Cluster::MANAGER )
+		return controller$flow_clear(controller$state);
+	else
+		event OpenFlow::cluster_flow_clear(controller$state$_name);
+
+	return T;
+	}
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+event OpenFlow::cluster_flow_mod(name: string, match: ofp_match, flow_mod: ofp_flow_mod)
+	{
+	if ( name !in name_to_controller )
+		{
+		Reporter::error(fmt("OpenFlow controller %s not found in mapping on master", name));
+		return;
+		}
+
+	local c = name_to_controller[name];
+
+	if ( ! c$state$_activated )
+		return;
+
+	if ( c?$flow_mod )
+		c$flow_mod(c$state, match, flow_mod);
+	}
+
+event OpenFlow::cluster_flow_clear(name: string)
+	{
+	if ( name !in name_to_controller )
+		{
+		Reporter::error(fmt("OpenFlow controller %s not found in mapping on master", name));
+		return;
+		}
+
+	local c = name_to_controller[name];
+
+	if ( ! c$state$_activated )
+		return;
+
+	if ( c?$flow_clear )
+		c$flow_clear(c$state);
+	}
+@endif
+
+function register_controller(tpe: OpenFlow::Plugin, name: string, controller: Controller)
+	{
+	controller$state$_name = cat(tpe, name);
+	controller$state$_plugin = tpe;
+
+	# we only run the init functions on the manager.
+	if ( Cluster::local_node_type() != Cluster::MANAGER )
+		return;
+
+	register_controller_impl(tpe, name, controller);
+	}
+
+function unregister_controller(controller: Controller)
+	{
+	# we only run the on the manager.
+	if ( Cluster::local_node_type() != Cluster::MANAGER )
+		return;
+
+	unregister_controller_impl(controller);
+	}
+
+function lookup_controller(name: string): vector of Controller
+	{
+	# we only run the on the manager. Otherwhise we don't have a mapping or state -> return empty
+	if ( Cluster::local_node_type() != Cluster::MANAGER )
+		return vector();
+
+	# I am not quite sure if we can actually get away with this - in the 
+	# current state, this means that the individual nodes cannot lookup
+	# a controller by name.
+	#
+	# This means that there can be no reactions to things on the actual
+	# worker nodes - because they cannot look up a name. On the other hand - 
+	# currently we also do not even send the events to the worker nodes (at least
+	# not if we are using broker). Because of that I am not really feeling that
+	# badly about it...
+
+	return lookup_controller_impl(name);
+	}
diff --git a/scripts/base/frameworks/openflow/consts.bro b/scripts/base/frameworks/openflow/consts.bro
new file mode 100644
index 0000000000..ca956702a7
--- /dev/null
+++ b/scripts/base/frameworks/openflow/consts.bro
@@ -0,0 +1,229 @@
+##! Constants used by the OpenFlow framework.
+
+# All types/constants not specific to OpenFlow will be defined here
+# unitl they somehow get into Bro.
+
+module OpenFlow;
+
+# Some cookie specific constants.
+# first 24 bits
+const COOKIE_BID_SIZE = 16777216;
+# start at bit 40 (1 << 40)
+const COOKIE_BID_START = 1099511627776;
+# bro specific cookie ID shall have the 42 bit set (1 << 42)
+const BRO_COOKIE_ID = 4;
+# 8 bits group identifier
+const COOKIE_GID_SIZE = 256;
+# start at bit 32 (1 << 32)
+const COOKIE_GID_START = 4294967296;
+# 32 bits unique identifier
+const COOKIE_UID_SIZE = 4294967296;
+# start at bit 0 (1 << 0)
+const COOKIE_UID_START = 0;
+
+export {
+	# All ethertypes can be found at
+	# http://standards.ieee.org/develop/regauth/ethertype/eth.txt
+	# but are not interesting for us at this point
+#type ethertype: enum {
+	# Internet protocol version 4
+	const ETH_IPv4 = 0x0800;
+	# Address resolution protocol
+	const ETH_ARP = 0x0806;
+	# Wake on LAN
+	const ETH_WOL = 0x0842;
+	# Reverse address resolution protocol
+	const ETH_RARP = 0x8035;
+	# Appletalk
+	const ETH_APPLETALK = 0x809B;
+	# Appletalk address resolution protocol
+	const ETH_APPLETALK_ARP = 0x80F3;
+	# IEEE 802.1q & IEEE 802.1aq
+	const ETH_VLAN = 0x8100;
+	# Novell IPX old
+	const ETH_IPX_OLD = 0x8137;
+	# Novell IPX
+	const ETH_IPX = 0x8138;
+	# Internet protocol version 6
+	const ETH_IPv6 = 0x86DD;
+	# IEEE 802.3x
+	const ETH_ETHER_FLOW_CONTROL = 0x8808;
+	# Multiprotocol Label Switching unicast
+	const ETH_MPLS_UNICAST = 0x8847;
+	# Multiprotocol Label Switching multicast
+	const ETH_MPLS_MULTICAST = 0x8848;
+	# Point-to-point protocol over Ethernet discovery phase (rfc2516)
+	const ETH_PPPOE_DISCOVERY = 0x8863;
+	# Point-to-point protocol over Ethernet session phase (rfc2516)
+	const ETH_PPPOE_SESSION = 0x8864;
+	# Jumbo frames
+	const ETH_JUMBO_FRAMES = 0x8870;
+	# IEEE 802.1X
+	const ETH_EAP_OVER_LAN = 0x888E;
+	# IEEE 802.1ad & IEEE 802.1aq
+	const ETH_PROVIDER_BRIDING = 0x88A8;
+	# IEEE 802.1ae
+	const ETH_MAC_SECURITY = 0x88E5;
+	# IEEE 802.1ad (QinQ)
+	const ETH_QINQ = 0x9100;
+#};
+
+	# A list of ip protocol numbers can be found at
+	# http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
+#type iptype: enum {
+	# IPv6 Hop-by-Hop Option (RFC2460)
+	const IP_HOPOPT = 0x00;
+	# Internet Control Message Protocol (RFC792)
+	const IP_ICMP = 0x01;
+	# Internet Group Management Protocol (RFC1112)
+	const IP_IGMP = 0x02;
+	# Gateway-to-Gateway Protocol (RFC823)
+	const IP_GGP = 0x03;
+	# IP-Within-IP (encapsulation) (RFC2003)
+	const IP_IPIP = 0x04;
+	# Internet Stream Protocol (RFC1190;RFC1819)
+	const IP_ST = 0x05;
+	# Tansmission Control Protocol (RFC793)
+	const IP_TCP = 0x06;
+	# Core-based trees (RFC2189)
+	const IP_CBT = 0x07;
+	# Exterior Gateway Protocol (RFC888)
+	const IP_EGP = 0x08;
+	# Interior Gateway Protocol (any private interior
+	# gateway (used by Cisco for their IGRP))
+	const IP_IGP = 0x09;
+	# User Datagram Protocol (RFC768)
+	const IP_UDP = 0x11;
+	# Reliable Datagram Protocol (RFC908)
+	const IP_RDP = 0x1B;
+	# IPv6 Encapsulation (RFC2473)
+	const IP_IPv6 = 0x29;
+	# Resource Reservation Protocol (RFC2205)
+	const IP_RSVP = 0x2E;
+	# Generic Routing Encapsulation (RFC2784;RFC2890)
+	const IP_GRE = 0x2F;
+	# Open Shortest Path First (RFC1583)
+	const IP_OSPF = 0x59;
+	# Multicast Transport Protocol
+	const IP_MTP = 0x5C;
+	# IP-within-IP Encapsulation Protocol (RFC2003)
+	### error 0x5E;
+	# Ethernet-within-IP Encapsulation Protocol (RFC3378)
+	const IP_ETHERIP = 0x61;
+	# Layer Two Tunneling Protocol Version 3 (RFC3931)
+	const IP_L2TP = 0x73;
+	# Intermediate System to Intermediate System (IS-IS) Protocol over IPv4 (RFC1142;RFC1195)
+	const IP_ISIS = 0x7C;
+	# Fibre Channel
+	const IP_FC = 0x85;
+	# Multiprotocol Label Switching Encapsulated in IP (RFC4023)
+	const IP_MPLS = 0x89;
+#};
+
+	## Return value for a cookie from a flow
+	## which is not added, modified or deleted
+	## from the bro openflow framework
+	const INVALID_COOKIE = 0xffffffffffffffff;
+	# Openflow pysical port definitions
+	## Send the packet out the input port. This
+	## virual port must be explicitly used in
+	## order to send back out of the input port.
+	const OFPP_IN_PORT = 0xfffffff8;
+	## Perform actions in flow table.
+	## NB: This can only be the destination port
+	## for packet-out messages.
+	const OFPP_TABLE = 0xfffffff9;
+	## Process with normal L2/L3 switching.
+	const OFPP_NORMAL = 0xfffffffa;
+	## All pysical ports except input port and
+	## those disabled by STP.
+	const OFPP_FLOOD = 0xfffffffb;
+	## All pysical ports except input port.
+	const OFPP_ALL = 0xfffffffc;
+	## Send to controller.
+	const OFPP_CONTROLLER = 0xfffffffd;
+	## Local openflow "port".
+	const OFPP_LOCAL = 0xfffffffe;
+	## Wildcard port used only for flow mod (delete) and flow stats requests.
+	const OFPP_ANY = 0xffffffff;
+	# Openflow no buffer constant.
+	const OFP_NO_BUFFER = 0xffffffff;
+	## Send flow removed message when flow
+	## expires or is deleted.
+	const OFPFF_SEND_FLOW_REM = 0x1;
+	## Check for overlapping entries first.
+	const OFPFF_CHECK_OVERLAP = 0x2;
+	## Remark this is for emergency.
+	## Flows added with this are only used
+	## when the controller is disconnected.
+	const OFPFF_EMERG = 0x4;
+
+	# Wildcard table used for table config,
+	# flow stats and flow deletes.
+	const OFPTT_ALL = 0xff;
+
+	## Openflow action_type definitions
+	##
+	## The openflow action type defines
+	## what actions openflow can take
+	## to modify a packet
+	type ofp_action_type: enum {
+		## Output to switch port.
+		OFPAT_OUTPUT = 0x0000,
+		## Set the 802.1q VLAN id.
+		OFPAT_SET_VLAN_VID = 0x0001,
+		## Set the 802.1q priority.
+		OFPAT_SET_VLAN_PCP = 0x0002,
+		## Strip the 802.1q header.
+		OFPAT_STRIP_VLAN = 0x0003,
+		## Ethernet source address.
+		OFPAT_SET_DL_SRC = 0x0004,
+		## Ethernet destination address.
+		OFPAT_SET_DL_DST = 0x0005,
+		## IP source address
+		OFPAT_SET_NW_SRC = 0x0006,
+		## IP destination address.
+		OFPAT_SET_NW_DST = 0x0007,
+		## IP ToS (DSCP field, 6 bits).
+		OFPAT_SET_NW_TOS = 0x0008,
+		## TCP/UDP source port.
+		OFPAT_SET_TP_SRC = 0x0009,
+		## TCP/UDP destination port.
+		OFPAT_SET_TP_DST = 0x000a,
+		## Output to queue.
+		OFPAT_ENQUEUE = 0x000b,
+		## Vendor specific
+		OFPAT_VENDOR = 0xffff,
+	};
+
+	## Openflow flow_mod_command definitions
+	##
+	## The openflow flow_mod_command describes
+	## of what kind an action is.
+	type ofp_flow_mod_command: enum {
+		## New flow.
+		OFPFC_ADD = 0x0,
+		## Modify all matching flows.
+		OFPFC_MODIFY = 0x1,
+		## Modify entry strictly matching wildcards.
+		OFPFC_MODIFY_STRICT = 0x2,
+		## Delete all matching flows.
+		OFPFC_DELETE = 0x3,
+		## Strictly matching wildcards and priority.
+		OFPFC_DELETE_STRICT = 0x4,
+	};
+
+	## Openflow config flag definitions
+	##
+	## TODO: describe
+	type ofp_config_flags: enum {
+		## No special handling for fragments.
+		OFPC_FRAG_NORMAL = 0,
+		## Drop fragments.
+		OFPC_FRAG_DROP = 1,
+		## Reassemble (only if OFPC_IP_REASM set).
+		OFPC_FRAG_REASM = 2,
+		OFPC_FRAG_MASK = 3,
+	};
+
+}
diff --git a/scripts/base/frameworks/openflow/main.bro b/scripts/base/frameworks/openflow/main.bro
new file mode 100644
index 0000000000..889929c641
--- /dev/null
+++ b/scripts/base/frameworks/openflow/main.bro
@@ -0,0 +1,289 @@
+##! Bro's OpenFlow control framework
+##!
+##! This plugin-based framework allows to control OpenFlow capable
+##! switches by implementing communication to an OpenFlow controller
+##! via plugins. The framework has to be instantiated via the new function
+##! in one of the plugins. This framework only offers very low-level
+##! functionality; if you want to use OpenFlow capable switches, e.g.,
+##! for shunting, please look at the PACF framework, which provides higher
+##! level functions and can use the OpenFlow framework as a backend.
+
+module OpenFlow;
+
+@load ./consts
+@load ./types
+
+export {
+	## Global flow_mod function.
+	##
+	## controller: The controller which should execute the flow modification
+	##
+	## match: The ofp_match record which describes the flow to match.
+	##
+	## flow_mod: The openflow flow_mod record which describes the action to take.
+	##
+	## Returns: F on error or if the plugin does not support the operation, T when the operation was queued.
+	global flow_mod: function(controller: Controller, match: ofp_match, flow_mod: ofp_flow_mod): bool;
+
+	## Clear the current flow table of the controller.
+	##
+	## controller: The controller which should execute the flow modification
+	##
+	## Returns: F on error or if the plugin does not support the operation, T when the operation was queued.
+	global flow_clear: function(controller: Controller): bool;
+
+	## Event confirming successful modification of a flow rule.
+	##
+	## name: The unique name of the OpenFlow controller from which this event originated.
+	##
+	## match: The ofp_match record which describes the flow to match.
+	##
+	## flow_mod: The openflow flow_mod record which describes the action to take.
+	##
+	## msg: An optional informational message by the plugin.
+	global flow_mod_success: event(name: string, match: ofp_match, flow_mod: ofp_flow_mod, msg: string &default="");
+
+	## Reports an error while installing a flow Rule.
+	##
+	## name: The unique name of the OpenFlow controller from which this event originated.
+	##
+	## match: The ofp_match record which describes the flow to match.
+	##
+	## flow_mod: The openflow flow_mod record which describes the action to take.
+	##
+	## msg: Message to describe the event.
+	global flow_mod_failure: event(name: string, match: ofp_match, flow_mod: ofp_flow_mod, msg: string &default="");
+
+	## Reports that a flow was removed by the switch because of either the hard or the idle timeout.
+	## This message is only generated by controllers that indicate that they support flow removal
+	## in supports_flow_removed.
+	##
+	## name: The unique name of the OpenFlow controller from which this event originated.
+	##
+	## match: The ofp_match record which was used to create the flow.
+	##
+	## cookie: The cookie that was specified when creating the flow.
+	##
+	## priority: The priority that was specified when creating the flow.
+	##
+	## reason: The reason for flow removal (OFPRR_*)
+	##
+	## duration_sec: duration of the flow in seconds
+	##
+	## packet_count: packet count of the flow
+	##
+	## byte_count: byte count of the flow
+	global flow_removed: event(name: string, match: ofp_match, cookie: count, priority: count, reason: count, duration_sec: count, idle_timeout: count, packet_count: count, byte_count: count);
+
+	## Convert a conn_id record into an ofp_match record that can be used to
+	## create match objects for OpenFlow.
+	##
+	## id: the conn_id record that describes the record.
+	##
+	## reverse: reverse the sources and destinations when creating the match record (default F)
+	##
+	## Returns: ofp_match object for the conn_id record.
+	global match_conn: function(id: conn_id, reverse: bool &default=F): ofp_match;
+
+	# ###
+	# ### Low-level functions for cookie handling and plugin registration.
+	# ###
+
+	## Function to get the unique id out of a given cookie.
+	##
+	## cookie: The openflow match cookie.
+	##
+	## Returns: The cookie unique id.
+	global get_cookie_uid: function(cookie: count): count;
+
+	## Function to get the group id out of a given cookie.
+	##
+	## cookie: The openflow match cookie.
+	##
+	## Returns: The cookie group id.
+	global get_cookie_gid: function(cookie: count): count;
+
+	## Function to generate a new cookie using our group id.
+	##
+	## cookie: The openflow match cookie.
+	##
+	## Returns: The cookie group id.
+	global generate_cookie: function(cookie: count &default=0): count;
+
+	## Function to register a controller instance. This function
+	## is called automatically by the plugin _new functions.
+	##
+	## tpe: type of this plugin
+	##
+	## name: unique name of this controller instance.
+	##
+	## controller: The controller to register
+	global register_controller: function(tpe: OpenFlow::Plugin, name: string, controller: Controller);
+
+	## Function to unregister a controller instance. This function
+	## should be called when a specific controller should no longer
+	## be used.
+	##
+	## controller: The controller to unregister
+	global unregister_controller: function(controller: Controller);
+
+	## Function to signal that a controller finished activation and is
+	## ready to use. Will throw the ``OpenFlow::controller_activated``
+	## event.
+	global controller_init_done: function(controller: Controller);
+
+	## Event that is raised once a controller finishes initialization
+	## and is completely activated.
+	## name: unique name of this controller instance.
+	##
+	## controller: The controller that finished activation.
+	global OpenFlow::controller_activated: event(name: string, controller: Controller);
+
+	## Function to lookup a controller instance by name
+	##
+	## name: unique name of the controller to look up
+	##
+	## Returns: one element vector with controller, if found. Empty vector otherwhise.
+	global lookup_controller: function(name: string): vector of Controller;
+}
+
+global name_to_controller: table[string] of Controller;
+
+
+function match_conn(id: conn_id, reverse: bool &default=F): ofp_match
+	{
+	local dl_type = ETH_IPv4;
+	local proto = IP_TCP;
+
+	local orig_h: addr;
+	local orig_p: port;
+	local resp_h: addr;
+	local resp_p: port;
+
+	if ( reverse == F )
+		{
+		orig_h = id$orig_h;
+		orig_p = id$orig_p;
+		resp_h = id$resp_h;
+		resp_p = id$resp_p;
+		}
+	else
+		{
+		orig_h = id$resp_h;
+		orig_p = id$resp_p;
+		resp_h = id$orig_h;
+		resp_p = id$orig_p;
+		}
+
+		if ( is_v6_addr(orig_h) )
+			dl_type = ETH_IPv6;
+
+		if ( is_udp_port(orig_p) )
+			proto = IP_UDP;
+		else if ( is_icmp_port(orig_p) )
+			proto = IP_ICMP;
+
+		return ofp_match(
+			$dl_type=dl_type,
+			$nw_proto=proto,
+			$nw_src=addr_to_subnet(orig_h),
+			$tp_src=port_to_count(orig_p),
+			$nw_dst=addr_to_subnet(resp_h),
+			$tp_dst=port_to_count(resp_p)
+		);
+	}
+
+# local function to forge a flow_mod cookie for this framework.
+# all flow entries from the openflow framework should have the
+# 42 bit of the cookie set.
+function generate_cookie(cookie: count &default=0): count
+	{
+	local c = BRO_COOKIE_ID * COOKIE_BID_START;
+
+	if ( cookie >= COOKIE_UID_SIZE )
+		Reporter::warning(fmt("The given cookie uid '%d' is > 32bit and will be discarded", cookie));
+	else
+		c += cookie;
+
+	return c;
+	}
+
+# local function to check if a given flow_mod cookie is forged from this framework.
+function is_valid_cookie(cookie: count): bool
+	{
+	if ( cookie / COOKIE_BID_START == BRO_COOKIE_ID )
+		return T;
+
+	Reporter::warning(fmt("The given Openflow cookie '%d' is not valid", cookie));
+
+	return F;
+	}
+
+function get_cookie_uid(cookie: count): count
+	{
+	if( is_valid_cookie(cookie) )
+		return (cookie - ((cookie / COOKIE_GID_START) * COOKIE_GID_START));
+
+	return INVALID_COOKIE;
+	}
+
+function get_cookie_gid(cookie: count): count
+	{
+	if( is_valid_cookie(cookie) )
+		return (
+			(cookie	- (COOKIE_BID_START * BRO_COOKIE_ID) -
+			(cookie - ((cookie / COOKIE_GID_START) * COOKIE_GID_START))) /
+			COOKIE_GID_START
+		);
+
+	return INVALID_COOKIE;
+	}
+
+function controller_init_done(controller: Controller)
+	{
+	if ( controller$state$_name !in name_to_controller )
+		{
+		Reporter::error(fmt("Openflow initialized unknown plugin %s successfully?", controller$state$_name));
+		return;
+		}
+
+	controller$state$_activated = T;
+	event OpenFlow::controller_activated(controller$state$_name, controller);
+	}
+
+# Functions that are called from cluster.bro and non-cluster.bro
+
+function register_controller_impl(tpe: OpenFlow::Plugin, name: string, controller: Controller)
+	{
+	if ( controller$state$_name in name_to_controller )
+		{
+		Reporter::error(fmt("OpenFlow Controller %s was already registered. Ignored duplicate registration", controller$state$_name));
+		return;
+		}
+
+	name_to_controller[controller$state$_name] = controller;
+
+	if ( controller?$init )
+		controller$init(controller$state);
+	else
+		controller_init_done(controller);
+	}
+
+function unregister_controller_impl(controller: Controller)
+	{
+	if ( controller$state$_name in name_to_controller )
+		delete name_to_controller[controller$state$_name];
+	else
+		Reporter::error("OpenFlow Controller %s was not registered in unregister.");
+
+	if ( controller?$destroy )
+		controller$destroy(controller$state);
+	}
+
+function lookup_controller_impl(name: string): vector of Controller
+	{
+	if ( name in name_to_controller )
+		return vector(name_to_controller[name]);
+	else
+		return vector();
+	}
diff --git a/scripts/base/frameworks/openflow/non-cluster.bro b/scripts/base/frameworks/openflow/non-cluster.bro
new file mode 100644
index 0000000000..22b5980924
--- /dev/null
+++ b/scripts/base/frameworks/openflow/non-cluster.bro
@@ -0,0 +1,44 @@
+@load ./main
+
+module OpenFlow;
+
+# the flow_mod function wrapper
+function flow_mod(controller: Controller, match: ofp_match, flow_mod: ofp_flow_mod): bool
+	{
+	if ( ! controller$state$_activated )
+		return F;
+
+	if ( controller?$flow_mod )
+		return controller$flow_mod(controller$state, match, flow_mod);
+	else
+		return F;
+	}
+
+function flow_clear(controller: Controller): bool
+	{
+	if ( ! controller$state$_activated )
+		return F;
+
+	if ( controller?$flow_clear )
+		return controller$flow_clear(controller$state);
+	else
+		return F;
+	}
+
+function register_controller(tpe: OpenFlow::Plugin, name: string, controller: Controller)
+	{
+	controller$state$_name = cat(tpe, name);
+	controller$state$_plugin = tpe;
+
+	register_controller_impl(tpe, name, controller);
+	}
+
+function unregister_controller(controller: Controller)
+	{
+	unregister_controller_impl(controller);
+	}
+
+function lookup_controller(name: string): vector of Controller
+	{
+	return lookup_controller_impl(name);
+	}
diff --git a/scripts/base/frameworks/openflow/plugins/__load__.bro b/scripts/base/frameworks/openflow/plugins/__load__.bro
new file mode 100644
index 0000000000..e387132034
--- /dev/null
+++ b/scripts/base/frameworks/openflow/plugins/__load__.bro
@@ -0,0 +1,3 @@
+@load ./ryu
+@load ./log
+@load ./broker
diff --git a/scripts/base/frameworks/openflow/plugins/broker.bro b/scripts/base/frameworks/openflow/plugins/broker.bro
new file mode 100644
index 0000000000..a67b941e08
--- /dev/null
+++ b/scripts/base/frameworks/openflow/plugins/broker.bro
@@ -0,0 +1,98 @@
+##! OpenFlow plugin for interfacing to controllers via Broker.
+
+@load base/frameworks/openflow
+@load base/frameworks/broker
+
+module OpenFlow;
+
+@ifdef ( Broker::__enable )
+
+export {
+	redef enum Plugin += {
+		BROKER,
+	};
+
+	## Broker controller constructor.
+	##
+	## host: Controller ip.
+	##
+	## host_port: Controller listen port.
+	##
+	## topic: broker topic to send messages to.
+	##
+	## dpid: OpenFlow switch datapath id.
+	##
+	## Returns: OpenFlow::Controller record
+	global broker_new: function(name: string, host: addr, host_port: port, topic: string, dpid: count): OpenFlow::Controller;
+
+	redef record ControllerState += {
+		## Controller ip.
+		broker_host: addr &optional;
+		## Controller listen port.
+		broker_port: port &optional;
+		## OpenFlow switch datapath id.
+		broker_dpid: count &optional;
+		## Topic to sent events for this controller to
+		broker_topic: string &optional;
+	};
+
+	global broker_flow_mod: event(name: string, dpid: count, match: ofp_match, flow_mod: ofp_flow_mod);
+	global broker_flow_clear: event(name: string, dpid: count);
+}
+
+global broker_peers: table[port, string] of Controller;
+
+function broker_describe(state: ControllerState): string
+	{
+	return fmt("Broker-%s:%d-%d", state$broker_host, state$broker_port, state$broker_dpid);
+	}
+
+function broker_flow_mod_fun(state: ControllerState, match: ofp_match, flow_mod: OpenFlow::ofp_flow_mod): bool
+	{
+	Broker::send_event(state$broker_topic, Broker::event_args(broker_flow_mod, state$_name, state$broker_dpid, match, flow_mod));
+
+	return T;
+	}
+
+function broker_flow_clear_fun(state: OpenFlow::ControllerState): bool
+	{
+	Broker::send_event(state$broker_topic, Broker::event_args(broker_flow_clear, state$_name, state$broker_dpid));
+
+	return T;
+	}
+
+function broker_init(state: OpenFlow::ControllerState)
+	{
+	Broker::enable();
+	Broker::connect(cat(state$broker_host), state$broker_port, 1sec);
+	Broker::subscribe_to_events(state$broker_topic); # openflow success and failure events are directly sent back via the other plugin via broker.
+	}
+
+event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
+	{
+	if ( [peer_port, peer_address] !in broker_peers )
+		# ok, this one was none of ours...
+		return;
+
+	local p = broker_peers[peer_port, peer_address];
+	controller_init_done(p);
+	delete broker_peers[peer_port, peer_address];
+	}
+
+# broker controller constructor
+function broker_new(name: string, host: addr, host_port: port, topic: string, dpid: count): OpenFlow::Controller
+	{
+	local c = OpenFlow::Controller($state=OpenFlow::ControllerState($broker_host=host, $broker_port=host_port, $broker_dpid=dpid, $broker_topic=topic),
+		$flow_mod=broker_flow_mod_fun, $flow_clear=broker_flow_clear_fun, $describe=broker_describe, $supports_flow_removed=T, $init=broker_init);
+
+	register_controller(OpenFlow::BROKER, name, c);
+
+	if ( [host_port, cat(host)] in broker_peers )
+		Reporter::warning(fmt("Peer %s:%s was added to NetControl acld plugin twice.", host, host_port));
+	else
+		broker_peers[host_port, cat(host)] = c;
+
+	return c;
+	}
+
+@endif
diff --git a/scripts/base/frameworks/openflow/plugins/log.bro b/scripts/base/frameworks/openflow/plugins/log.bro
new file mode 100644
index 0000000000..18aa0c1584
--- /dev/null
+++ b/scripts/base/frameworks/openflow/plugins/log.bro
@@ -0,0 +1,76 @@
+##! OpenFlow plugin that outputs flow-modification commands
+##! to a Bro log file.
+
+@load base/frameworks/openflow
+@load base/frameworks/logging
+
+module OpenFlow;
+
+export {
+	redef enum Plugin += {
+		OFLOG,
+	};
+
+	redef enum Log::ID += { LOG };
+
+	## Log controller constructor.
+	##
+	## dpid: OpenFlow switch datapath id.
+	##
+	## success_event: If true, flow_mod_success is raised for each logged line.
+	##
+	## Returns: OpenFlow::Controller record
+	global log_new: function(dpid: count, success_event: bool &default=T): OpenFlow::Controller;
+
+	redef record ControllerState += {
+		## OpenFlow switch datapath id.
+		log_dpid: count &optional;
+		## Raise or do not raise success event
+		log_success_event: bool &optional;
+	};
+
+	## The record type which contains column fields of the OpenFlow log.
+	type Info: record {
+		## Network time
+		ts: time &log;
+		## OpenFlow switch datapath id
+		dpid: count &log;
+		## OpenFlow match fields
+		match: ofp_match &log;
+		## OpenFlow modify flow entry message
+		flow_mod: ofp_flow_mod &log;
+	};
+
+	## Event that can be handled to access the :bro:type:`OpenFlow::Info`
+	## record as it is sent on to the logging framework.
+	global log_openflow: event(rec: Info);
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(OpenFlow::LOG, [$columns=Info, $ev=log_openflow, $path="openflow"]);
+	}
+
+function log_flow_mod(state: ControllerState, match: ofp_match, flow_mod: OpenFlow::ofp_flow_mod): bool
+	{
+	Log::write(OpenFlow::LOG, [$ts=network_time(), $dpid=state$log_dpid, $match=match, $flow_mod=flow_mod]);
+	if ( state$log_success_event )
+		event OpenFlow::flow_mod_success(state$_name, match, flow_mod);
+
+	return T;
+	}
+
+function log_describe(state: ControllerState): string
+	{
+	return fmt("Log-%d", state$log_dpid);
+	}
+
+function log_new(dpid: count, success_event: bool &default=T): OpenFlow::Controller
+	{
+	local c = OpenFlow::Controller($state=OpenFlow::ControllerState($log_dpid=dpid, $log_success_event=success_event),
+		$flow_mod=log_flow_mod, $describe=log_describe, $supports_flow_removed=F);
+
+	register_controller(OpenFlow::OFLOG, cat(dpid), c);
+
+	return c;
+	}
diff --git a/scripts/base/frameworks/openflow/plugins/ryu.bro b/scripts/base/frameworks/openflow/plugins/ryu.bro
new file mode 100644
index 0000000000..69d51adc9b
--- /dev/null
+++ b/scripts/base/frameworks/openflow/plugins/ryu.bro
@@ -0,0 +1,190 @@
+##! OpenFlow plugin for the Ryu controller.
+
+@load base/frameworks/openflow
+@load base/utils/active-http
+@load base/utils/exec
+@load base/utils/json
+
+module OpenFlow;
+
+export {
+	redef enum Plugin += {
+		RYU,
+	};
+
+	## Ryu controller constructor.
+	##
+	## host: Controller ip.
+	##
+	## host_port: Controller listen port.
+	##
+	## dpid: OpenFlow switch datapath id.
+	##
+	## Returns: OpenFlow::Controller record
+	global ryu_new: function(host: addr, host_port: count, dpid: count): OpenFlow::Controller;
+
+	redef record ControllerState += {
+		## Controller ip.
+		ryu_host: addr &optional;
+		## Controller listen port.
+		ryu_port: count &optional;
+		## OpenFlow switch datapath id.
+		ryu_dpid: count &optional;
+		## Enable debug mode - output JSON to stdout; do not perform actions
+		ryu_debug: bool &default=F;
+	};
+}
+
+# Ryu ReST API flow_mod URL-path
+const RYU_FLOWENTRY_PATH = "/stats/flowentry/";
+# Ryu ReST API flow_stats URL-path
+#const RYU_FLOWSTATS_PATH = "/stats/flow/";
+
+# Ryu ReST API action_output type.
+type ryu_flow_action: record {
+	# Ryu uses strings as its ReST API output action.
+	_type: string;
+	# The output port for type OUTPUT
+	_port: count &optional;
+};
+
+# The ReST API documentation can be found at
+# https://media.readthedocs.org/pdf/ryu/latest/ryu.pdf
+# Ryu ReST API flow_mod type.
+type ryu_ofp_flow_mod: record {
+	dpid: count;
+	cookie: count &optional;
+	cookie_mask: count &optional;
+	table_id: count &optional;
+	idle_timeout: count &optional;
+	hard_timeout: count &optional;
+	priority: count &optional;
+	flags: count &optional;
+	match: OpenFlow::ofp_match;
+	actions: vector of ryu_flow_action;
+	out_port: count &optional;
+	out_group: count &optional;
+};
+
+# Mapping between ofp flow mod commands and ryu urls
+const ryu_url: table[ofp_flow_mod_command] of string = {
+	[OFPFC_ADD] = "add",
+	[OFPFC_MODIFY] = "modify",
+	[OFPFC_MODIFY_STRICT] = "modify_strict",
+	[OFPFC_DELETE] = "delete",
+	[OFPFC_DELETE_STRICT] = "delete_strict",
+};
+
+# Ryu flow_mod function
+function ryu_flow_mod(state: OpenFlow::ControllerState, match: ofp_match, flow_mod: OpenFlow::ofp_flow_mod): bool
+	{
+	if ( state$_plugin != RYU )
+		{
+		Reporter::error("Ryu openflow plugin was called with state of non-ryu plugin");
+		return F;
+		}
+
+	# Generate ryu_flow_actions because their type differs (using strings as type).
+	local flow_actions: vector of ryu_flow_action = vector();
+
+	for ( i in flow_mod$actions$out_ports )
+		flow_actions[|flow_actions|] = ryu_flow_action($_type="OUTPUT", $_port=flow_mod$actions$out_ports[i]);
+
+	# Generate our ryu_flow_mod record for the ReST API call.
+	local mod: ryu_ofp_flow_mod = ryu_ofp_flow_mod(
+		$dpid=state$ryu_dpid,
+		$cookie=flow_mod$cookie,
+		$idle_timeout=flow_mod$idle_timeout,
+		$hard_timeout=flow_mod$hard_timeout,
+		$priority=flow_mod$priority,
+		$flags=flow_mod$flags,
+		$match=match,
+		$actions=flow_actions
+	);
+
+	if ( flow_mod?$out_port )
+		mod$out_port = flow_mod$out_port;
+	if ( flow_mod?$out_group )
+		mod$out_group = flow_mod$out_group;
+
+	# Type of the command
+	local command_type: string;
+
+	if ( flow_mod$command in ryu_url )
+		command_type = ryu_url[flow_mod$command];
+	else
+			{
+			Reporter::warning(fmt("The given OpenFlow command type '%s' is not available", cat(flow_mod$command)));
+			return F;
+			}
+
+	local url=cat("http://", cat(state$ryu_host), ":", cat(state$ryu_port), RYU_FLOWENTRY_PATH, command_type);
+
+	if ( state$ryu_debug )
+		{
+		print url;
+		print to_json(mod);
+		event OpenFlow::flow_mod_success(state$_name, match, flow_mod);
+		return T;
+		}
+
+	# Create the ActiveHTTP request and convert the record to a Ryu ReST API JSON string
+	local request: ActiveHTTP::Request = ActiveHTTP::Request(
+		$url=url,
+		$method="POST",
+		$client_data=to_json(mod)
+	);
+
+	# Execute call to Ryu's ReST API
+	when ( local result = ActiveHTTP::request(request) )
+		{
+		if(result$code == 200)
+			event OpenFlow::flow_mod_success(state$_name, match, flow_mod, result$body);
+		else
+			{
+			Reporter::warning(fmt("Flow modification failed with error: %s", result$body));
+			event OpenFlow::flow_mod_failure(state$_name, match, flow_mod, result$body);
+			return F;
+			}
+		}
+
+	return T;
+	}
+
+function ryu_flow_clear(state: OpenFlow::ControllerState): bool
+	{
+	local url=cat("http://", cat(state$ryu_host), ":", cat(state$ryu_port), RYU_FLOWENTRY_PATH, "clear", "/", state$ryu_dpid);
+
+	if ( state$ryu_debug )
+		{
+		print url;
+		return T;
+		}
+
+	local request: ActiveHTTP::Request = ActiveHTTP::Request(
+		$url=url,
+		$method="DELETE"
+	);
+
+	when ( local result = ActiveHTTP::request(request) )
+		{
+		}
+
+	return T;
+	}
+
+function ryu_describe(state: ControllerState): string
+	{
+	return fmt("Ryu-%d-http://%s:%d", state$ryu_dpid, state$ryu_host, state$ryu_port);
+	}
+
+# Ryu controller constructor
+function ryu_new(host: addr, host_port: count, dpid: count): OpenFlow::Controller
+	{
+	local c = OpenFlow::Controller($state=OpenFlow::ControllerState($ryu_host=host, $ryu_port=host_port, $ryu_dpid=dpid),
+		$flow_mod=ryu_flow_mod, $flow_clear=ryu_flow_clear, $describe=ryu_describe, $supports_flow_removed=F);
+
+	register_controller(OpenFlow::RYU, cat(host,host_port,dpid), c);
+
+	return c;
+	}
diff --git a/scripts/base/frameworks/openflow/types.bro b/scripts/base/frameworks/openflow/types.bro
new file mode 100644
index 0000000000..f527cd51a7
--- /dev/null
+++ b/scripts/base/frameworks/openflow/types.bro
@@ -0,0 +1,132 @@
+##! Types used by the OpenFlow framework.
+
+module OpenFlow;
+
+@load ./consts
+
+export {
+	## Available openflow plugins
+	type Plugin: enum {
+		## Internal placeholder plugin
+		INVALID,
+	};
+
+	## Controller related state.
+	## Can be redefined by plugins to
+	## add state.
+	type ControllerState: record {
+		## Internally set to the type of plugin used.
+		_plugin: Plugin &optional;
+		## Internally set to the unique name of the controller.
+		_name: string &optional;
+		## Internally set to true once the controller is activated
+		_activated: bool &default=F;
+	} &redef;
+
+	## Openflow match definition.
+	##
+	## The openflow match record describes
+	## which packets match to a specific
+	## rule in a flow table.
+	type ofp_match: record {
+		# Input switch port.
+		in_port: count &optional;
+		# Ethernet source address.
+		dl_src: string &optional;
+		# Ethernet destination address.
+		dl_dst: string &optional;
+		# Input VLAN id.
+		dl_vlan: count &optional;
+		# Input VLAN priority.
+		dl_vlan_pcp: count &optional;
+		# Ethernet frame type.
+		dl_type: count &optional;
+		# IP ToS (actually DSCP field, 6bits).
+		nw_tos: count &optional;
+		# IP protocol or lower 8 bits of ARP opcode.
+		nw_proto: count &optional;
+		# At the moment, we store both v4 and v6 in the same fields.
+		# This is not how OpenFlow does it, we might want to change that...
+		# IP source address.
+		nw_src: subnet &optional;
+		# IP destination address.
+		nw_dst: subnet &optional;
+		# TCP/UDP source port.
+		tp_src: count &optional;
+		# TCP/UDP destination port.
+		tp_dst: count &optional;
+	} &log;
+
+	## The actions that can be taken in a flow.
+	## (Sepearate record to make ofp_flow_mod less crowded)
+	type ofp_flow_action: record {
+		## Output ports to send data to.
+		out_ports: vector of count &default=vector();
+		## set vlan vid to this value
+		vlan_vid: count &optional;
+		## set vlan priority to this value
+		vlan_pcp: count &optional;
+		## strip vlan tag
+		vlan_strip: bool &default=F;
+		## set ethernet source address
+		dl_src: string &optional;
+		## set ethernet destination address
+		dl_dst: string &optional;
+		## set ip tos to this value
+		nw_tos: count &optional;
+		## set source to this ip
+		nw_src: addr &optional;
+		## set destination to this ip
+		nw_dst: addr &optional;
+		## set tcp/udp source port
+		tp_src: count &optional;
+		## set tcp/udp destination port
+		tp_dst: count &optional;
+	} &log;
+
+	## Openflow flow_mod definition, describing the action to perform.
+	type ofp_flow_mod: record {
+		## Opaque controller-issued identifier.
+		# This is optional in the specification - but let's force
+		# it so we always can identify our flows...
+		cookie: count; # &default=BRO_COOKIE_ID * COOKIE_BID_START;
+		# Flow actions
+		## Table to put the flow in. OFPTT_ALL can be used for delete,
+		## to delete flows from all matching tables.
+		table_id: count &optional;
+		## One of OFPFC_*.
+		command: ofp_flow_mod_command; # &default=OFPFC_ADD;
+		## Idle time before discarding (seconds).
+		idle_timeout: count &default=0;
+		## Max time before discarding (seconds).
+		hard_timeout: count &default=0;
+		## Priority level of flow entry.
+		priority: count &default=0;
+		## For OFPFC_DELETE* commands, require matching entried to include
+		## this as an output port/group. OFPP_ANY/OFPG_ANY means no restrictions.
+		out_port: count &optional;
+		out_group: count &optional;
+		## Bitmap of the OFPFF_* flags
+		flags: count &default=0;
+		## Actions to take on match
+		actions: ofp_flow_action &default=ofp_flow_action();
+	} &log;
+
+	## Controller record representing an openflow controller
+	type Controller: record {
+		## Controller related state.
+		state: ControllerState;
+		## Does the controller support the flow_removed event?
+		supports_flow_removed: bool;
+		## function that describes the controller. Has to be implemented.
+		describe: function(state: ControllerState): string;
+		## one-time initialization function. If defined, controller_init_done has to be called once initialization finishes.
+		init: function (state: ControllerState) &optional;
+		## one-time destruction function
+		destroy: function (state: ControllerState) &optional;
+		## flow_mod function
+		flow_mod: function(state: ControllerState, match: ofp_match, flow_mod: ofp_flow_mod): bool &optional;
+		## flow_clear function
+		flow_clear: function(state: ControllerState): bool &optional;
+	};
+}
diff --git a/scripts/base/frameworks/packet-filter/netstats.bro b/scripts/base/frameworks/packet-filter/netstats.bro
index b5ffe24f54..f1757d8d47 100644
--- a/scripts/base/frameworks/packet-filter/netstats.bro
+++ b/scripts/base/frameworks/packet-filter/netstats.bro
@@ -18,7 +18,7 @@ export {
 
 event net_stats_update(last_stat: NetStats)
 	{
-	local ns = net_stats();
+	local ns = get_net_stats();
 	local new_dropped = ns$pkts_dropped - last_stat$pkts_dropped;
 	if ( new_dropped > 0 )
 		{
@@ -38,5 +38,5 @@ event bro_init()
 	# Since this currently only calculates packet drops, let's skip the stats
 	# collection if reading traces.
 	if ( ! reading_traces() )
-		schedule stats_collection_interval { net_stats_update(net_stats()) };
+		schedule stats_collection_interval { net_stats_update(get_net_stats()) };
 	}
diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro
index 8dbdb61edd..edd80ede0f 100644
--- a/scripts/base/frameworks/sumstats/main.bro
+++ b/scripts/base/frameworks/sumstats/main.bro
@@ -5,7 +5,8 @@
 module SumStats;
 
 export {
-	## The various calculations are all defined as plugins.
+	## Type to represent the calculations that are available.  The calculations
+	## are all defined as plugins.
 	type Calculation: enum {
 		PLACEHOLDER
 	};
@@ -39,6 +40,7 @@ export {
 		str:  string &optional;
 	};
 
+	## Represents a reducer.
 	type Reducer: record {
 		## Observation stream identifier for the reducer
 		## to attach to.
@@ -56,7 +58,7 @@ export {
 		normalize_key:  function(key: SumStats::Key): Key &optional;
 	};
 
-	## Value calculated for an observation stream fed into a reducer.
+	## Result calculated for an observation stream fed into a reducer.
 	## Most of the fields are added by plugins.
 	type ResultVal: record {
 		## The time when the first observation was added to
@@ -71,14 +73,15 @@ export {
 		num:    count &default=0;
 	};
 
-	## Type to store results for multiple reducers.
+	## Type to store a table of results for multiple reducers indexed by
+	## observation stream identifier.
 	type Result: table[string] of ResultVal;
 
 	## Type to store a table of sumstats results indexed by keys.
 	type ResultTable: table[Key] of Result;
 
-	## SumStats represent an aggregation of reducers along with
-	## mechanisms to handle various situations like the epoch ending
+	## Represents a SumStat, which consists of an aggregation of reducers along
+	## with mechanisms to handle various situations like the epoch ending
 	## or thresholds being crossed.
 	##
 	## It's best to not access any global state outside
@@ -101,21 +104,28 @@ export {
 		## The reducers for the SumStat.
 		reducers:           set[Reducer];
 
-		## Provide a function to calculate a value from the
-		## :bro:see:`SumStats::Result` structure which will be used
-		## for thresholding.
-		## This is required if a *threshold* value is given.
+		## A function that will be called once for each observation in order
+		## to calculate a value from the :bro:see:`SumStats::Result` structure
+		## which will be used for thresholding.
+		## This function is required if a *threshold* value or
+		## a *threshold_series* is given.
 		threshold_val:      function(key: SumStats::Key, result: SumStats::Result): double &optional;
 
-		## The threshold value for calling the
-		## *threshold_crossed* callback.
+		## The threshold value for calling the *threshold_crossed* callback.
+		## If you need more than one threshold value, then use
+		## *threshold_series* instead.
 		threshold:          double            &optional;
 
-		## A series of thresholds for calling the
-		## *threshold_crossed* callback.
+		## A series of thresholds for calling the *threshold_crossed*
+		## callback.  These thresholds must be listed in ascending order,
+		## because a threshold is not checked until the preceding one has
+		## been crossed.
 		threshold_series:   vector of double  &optional;
 
 		## A callback that is called when a threshold is crossed.
+		## A threshold is crossed when the value returned from *threshold_val*
+		## is greater than or equal to the threshold value, but only the first
+		## time this happens within an epoch.
 		threshold_crossed:  function(key: SumStats::Key, result: SumStats::Result) &optional;
 
 		## A callback that receives each of the results at the
@@ -130,6 +140,8 @@ export {
 	};
 
 	## Create a summary statistic.
+	##
+	## ss: The SumStat to create.
 	global create: function(ss: SumStats::SumStat);
 
 	## Add data into an observation stream. This should be
diff --git a/scripts/base/frameworks/sumstats/plugins/average.bro b/scripts/base/frameworks/sumstats/plugins/average.bro
index 8f7f7b568f..160ca64d78 100644
--- a/scripts/base/frameworks/sumstats/plugins/average.bro
+++ b/scripts/base/frameworks/sumstats/plugins/average.bro
@@ -1,3 +1,5 @@
+##! Calculate the average.
+
 @load ../main
 
 module SumStats;
@@ -9,7 +11,7 @@ export {
 	};
 
 	redef record ResultVal += {
-		## For numeric data, this calculates the average of all values.
+		## For numeric data, this is the average of all values.
 		average: double &optional;
 	};
 }
diff --git a/scripts/base/frameworks/sumstats/plugins/hll_unique.bro b/scripts/base/frameworks/sumstats/plugins/hll_unique.bro
index 494cbf4667..43cafcff7f 100644
--- a/scripts/base/frameworks/sumstats/plugins/hll_unique.bro
+++ b/scripts/base/frameworks/sumstats/plugins/hll_unique.bro
@@ -1,3 +1,5 @@
+##! Calculate the number of unique values (using the HyperLogLog algorithm).
+
 @load base/frameworks/sumstats
 
 module SumStats;
diff --git a/scripts/base/frameworks/sumstats/plugins/last.bro b/scripts/base/frameworks/sumstats/plugins/last.bro
index 430c2e375b..ca04114f61 100644
--- a/scripts/base/frameworks/sumstats/plugins/last.bro
+++ b/scripts/base/frameworks/sumstats/plugins/last.bro
@@ -1,3 +1,5 @@
+##! Keep the last X observations.
+
 @load base/frameworks/sumstats
 @load base/utils/queue
 
diff --git a/scripts/base/frameworks/sumstats/plugins/max.bro b/scripts/base/frameworks/sumstats/plugins/max.bro
index d43ad9dc38..adcc6ae113 100644
--- a/scripts/base/frameworks/sumstats/plugins/max.bro
+++ b/scripts/base/frameworks/sumstats/plugins/max.bro
@@ -1,3 +1,5 @@
+##! Find the maximum value.
+
 @load ../main
 
 module SumStats;
@@ -9,7 +11,7 @@ export {
 	};
 
 	redef record ResultVal += {
-		## For numeric data, this tracks the maximum value given.
+		## For numeric data, this tracks the maximum value.
 		max: double &optional;
 	};
 }
diff --git a/scripts/base/frameworks/sumstats/plugins/min.bro b/scripts/base/frameworks/sumstats/plugins/min.bro
index 014755cf32..22cab1009c 100644
--- a/scripts/base/frameworks/sumstats/plugins/min.bro
+++ b/scripts/base/frameworks/sumstats/plugins/min.bro
@@ -1,3 +1,5 @@
+##! Find the minimum value.
+
 @load ../main
 
 module SumStats;
@@ -9,7 +11,7 @@ export {
 	};
 
 	redef record ResultVal += {
-		## For numeric data, this tracks the minimum value given.
+		## For numeric data, this tracks the minimum value.
 		min: double &optional;
 	};
 }
diff --git a/scripts/base/frameworks/sumstats/plugins/sample.bro b/scripts/base/frameworks/sumstats/plugins/sample.bro
index 809d696896..0200e85949 100644
--- a/scripts/base/frameworks/sumstats/plugins/sample.bro
+++ b/scripts/base/frameworks/sumstats/plugins/sample.bro
@@ -1,3 +1,5 @@
+##! Keep a random sample of values.
+
 @load base/frameworks/sumstats/main
 
 module SumStats;
@@ -10,7 +12,7 @@ export {
 	};
 
 	redef record Reducer += {
-		## A number of sample Observations to collect.
+		## The number of sample Observations to collect.
 		num_samples: count &default=0;
 	};
 
diff --git a/scripts/base/frameworks/sumstats/plugins/std-dev.bro b/scripts/base/frameworks/sumstats/plugins/std-dev.bro
index 2e5b95b212..bfb02c82cc 100644
--- a/scripts/base/frameworks/sumstats/plugins/std-dev.bro
+++ b/scripts/base/frameworks/sumstats/plugins/std-dev.bro
@@ -1,3 +1,5 @@
+##! Calculate the standard deviation.
+
 @load ./variance
 @load ../main
 
@@ -5,7 +7,7 @@ module SumStats;
 
 export {
 	redef enum Calculation += {
-		## Find the standard deviation of the values.
+		## Calculate the standard deviation of the values.
 		STD_DEV
 	};
 
diff --git a/scripts/base/frameworks/sumstats/plugins/sum.bro b/scripts/base/frameworks/sumstats/plugins/sum.bro
index 074b4b72f3..fb1d96bcd4 100644
--- a/scripts/base/frameworks/sumstats/plugins/sum.bro
+++ b/scripts/base/frameworks/sumstats/plugins/sum.bro
@@ -1,11 +1,13 @@
+##! Calculate the sum.
+
 @load ../main
 
 module SumStats;
 
 export {
 	redef enum Calculation += {
-		## Sums the values given.  For string values,
-		## this will be the number of strings given.
+		## Calculate the sum of the values.  For string values,
+		## this will be the number of strings.
 		SUM
 	};
 
diff --git a/scripts/base/frameworks/sumstats/plugins/topk.bro b/scripts/base/frameworks/sumstats/plugins/topk.bro
index 0ef0f01393..e7107cb4fb 100644
--- a/scripts/base/frameworks/sumstats/plugins/topk.bro
+++ b/scripts/base/frameworks/sumstats/plugins/topk.bro
@@ -1,3 +1,5 @@
+##! Keep the top-k (i.e., most frequently occurring) observations.
+
 @load base/frameworks/sumstats
 
 module SumStats;
@@ -9,10 +11,13 @@ export {
 	};
 
 	redef enum Calculation += {
+		## Keep a top-k list of values.
 		TOPK
 	};
 
 	redef record ResultVal += {
+		## A handle which can be passed to some built-in functions to get
+		## the top-k results.
 		topk: opaque of topk &optional;
 	};
 
diff --git a/scripts/base/frameworks/sumstats/plugins/unique.bro b/scripts/base/frameworks/sumstats/plugins/unique.bro
index abfbe3669d..5fcaa1dc3c 100644
--- a/scripts/base/frameworks/sumstats/plugins/unique.bro
+++ b/scripts/base/frameworks/sumstats/plugins/unique.bro
@@ -1,10 +1,12 @@
+##! Calculate the number of unique values.
+
 @load ../main
 
 module SumStats;
 
 export {
 	redef record Reducer += {
-		## Maximum number of unique elements to store.
+		## Maximum number of unique values to store.
 		unique_max: count &optional;
 	};
 
@@ -15,7 +17,7 @@ export {
 
 	redef record ResultVal += {
 		## If cardinality is being tracked, the number of unique
-		## items is tracked here.
+		## values is tracked here.
 		unique: count &default=0;
 	};
 }
diff --git a/scripts/base/frameworks/sumstats/plugins/variance.bro b/scripts/base/frameworks/sumstats/plugins/variance.bro
index 12d30cc4fe..989bf07eaf 100644
--- a/scripts/base/frameworks/sumstats/plugins/variance.bro
+++ b/scripts/base/frameworks/sumstats/plugins/variance.bro
@@ -1,3 +1,5 @@
+##! Calculate the variance.
+
 @load ./average
 @load ../main
 
@@ -5,12 +7,12 @@ module SumStats;
 
 export {
 	redef enum Calculation += {
-		## Find the variance of the values.
+		## Calculate the variance of the values.
 		VARIANCE
 	};
 
 	redef record ResultVal += {
-		## For numeric data, this calculates the variance.
+		## For numeric data, this is the variance.
 		variance: double &optional;
 	};
 }
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 94b6ed33e5..bc2edd72cb 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -39,6 +39,13 @@ type count_set: set[count];
 ##    directly and then remove this alias.
 type index_vec: vector of count;
 
+## A vector of subnets.
+##
+## .. todo:: We need this type definition only for declaring builtin functions
+##    via ``bifcl``. We should extend ``bifcl`` to understand composite types
+##    directly and then remove this alias.
+type subnet_vec: vector of subnet;
+
 ## A vector of any, used by some builtin functions to store a list of varying
 ## types.
 ##
@@ -120,6 +127,18 @@ type conn_id: record {
 	resp_p: port;	##< The responder's port number.
 } &log;
 
+## The identifying 4-tuple of a uni-directional flow.
+##
+## .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as
+##    part of the port values, `src_p` and `dst_p`, and can be extracted from
+##    them with :bro:id:`get_port_transport_proto`.
+type flow_id : record {
+	src_h: addr;	##< The source IP address.
+	src_p: port;	##< The source port number.
+	dst_h: addr;	##< The destination IP address.
+	dst_p: port;	##< The desintation port number.
+} &log;
+
 ## Specifics about an ICMP conversation. ICMP events typically pass this in
 ## addition to :bro:type:`conn_id`.
 ##
@@ -310,6 +329,8 @@ type endpoint: record {
 	## The current IPv6 flow label that the connection endpoint is using.
 	## Always 0 if the connection is over IPv4.
 	flow_label: count;
+	## The link-layer address seen in the first packet (if available).
+	l2_addr: string &optional;
 };
 
 ## A connection. This is Bro's basic connection type describing IP- and
@@ -346,10 +367,10 @@ type connection: record {
 	## handled and reassigns this field to the new encapsulation.
 	tunnel: EncapsulatingConnVector &optional;
 
-	## The outer VLAN, if applicable, for this connection.
+	## The outer VLAN, if applicable for this connection.
 	vlan: int &optional;
 
-	## The inner VLAN, if applicable, for this connection.
+	## The inner VLAN, if applicable for this connection.
 	inner_vlan: int &optional;
 };
 
@@ -455,64 +476,127 @@ type NetStats: record {
 	bytes_recvd:  count &default=0;	##< Bytes received by Bro.
 };
 
-## Statistics about Bro's resource consumption.
+type ConnStats: record {
+	total_conns: count;           ##<
+	current_conns: count;         ##<
+	current_conns_extern: count;  ##<
+	sess_current_conns: count;    ##<
+
+	num_packets: count;
+	num_fragments: count;
+	max_fragments: count;
+
+	num_tcp_conns: count;         ##< Current number of TCP connections in memory.
+	max_tcp_conns: count;         ##< Maximum number of concurrent TCP connections so far.
+	cumulative_tcp_conns: count;  ##< Total number of TCP connections so far.
+
+	num_udp_conns: count;         ##< Current number of UDP flows in memory.
+	max_udp_conns: count;         ##< Maximum number of concurrent UDP flows so far.
+	cumulative_udp_conns: count;  ##< Total number of UDP flows so far.
+
+	num_icmp_conns: count;        ##< Current number of ICMP flows in memory.
+	max_icmp_conns: count;        ##< Maximum number of concurrent ICMP flows so far.
+	cumulative_icmp_conns: count; ##< Total number of ICMP flows so far.
+
+	killed_by_inactivity: count;
+};
+
+## Statistics about Bro's process.
 ##
-## .. bro:see:: resource_usage
+## .. bro:see:: get_proc_stats
 ##
 ## .. note:: All process-level values refer to Bro's main process only, not to
 ##    the child process it spawns for doing communication.
-type bro_resources: record {
-	version: string;	##< Bro version string.
-	debug: bool;	##< True if compiled with --enable-debug.
-	start_time: time;	##< Start time of process.
-	real_time: interval;	##< Elapsed real time since Bro started running.
-	user_time: interval;	##< User CPU seconds.
-	system_time: interval;	##< System CPU seconds.
-	mem: count;		##< Maximum memory consumed, in KB.
-	minor_faults: count;	##< Page faults not requiring actual I/O.
-	major_faults: count;	##< Page faults requiring actual I/O.
-	num_swap: count;	##< Times swapped out.
-	blocking_input: count;	##< Blocking input operations.
-	blocking_output: count;	##< Blocking output operations.
-	num_context: count;	##< Number of involuntary context switches.
+type ProcStats: record {
+	debug: bool;                  ##< True if compiled with --enable-debug.
+	start_time: time;             ##< Start time of process.
+	real_time: interval;          ##< Elapsed real time since Bro started running.
+	user_time: interval;          ##< User CPU seconds.
+	system_time: interval;        ##< System CPU seconds.
+	mem: count;                   ##< Maximum memory consumed, in KB.
+	minor_faults: count;          ##< Page faults not requiring actual I/O.
+	major_faults: count;          ##< Page faults requiring actual I/O.
+	num_swap: count;              ##< Times swapped out.
+	blocking_input: count;        ##< Blocking input operations.
+	blocking_output: count;       ##< Blocking output operations.
+	num_context: count;           ##< Number of involuntary context switches.
+};
 
-	num_TCP_conns: count;	##< Current number of TCP connections in memory.
-	num_UDP_conns: count;	##< Current number of UDP flows in memory.
-	num_ICMP_conns: count;	##< Current number of ICMP flows in memory.
-	num_fragments: count;	##< Current number of fragments pending reassembly.
-	num_packets: count;	##< Total number of packets processed to date.
-	num_timers: count;	##< Current number of pending timers.
-	num_events_queued: count;	##< Total number of events queued so far.
-	num_events_dispatched: count;	##< Total number of events dispatched so far.
-
-	max_TCP_conns: count;	##< Maximum number of concurrent TCP connections so far.
-	max_UDP_conns: count;	##< Maximum number of concurrent UDP connections so far.
-	max_ICMP_conns: count;	##< Maximum number of concurrent ICMP connections so far.
-	max_fragments: count;	##< Maximum number of concurrently buffered fragments so far.
-	max_timers: count;	##< Maximum number of concurrent timers pending so far.
+type EventStats: record {
+	queued:     count; ##< Total number of events queued so far.
+	dispatched: count; ##< Total number of events dispatched so far.
 };
 
 ## Summary statistics of all regular expression matchers.
 ##
+## .. bro:see:: get_reassembler_stats
+type ReassemblerStats: record {
+	file_size:    count;  ##< Byte size of File reassembly tracking.
+	frag_size:    count;  ##< Byte size of Fragment reassembly tracking.
+	tcp_size:     count;  ##< Byte size of TCP reassembly tracking.
+	unknown_size: count;  ##< Byte size of reassembly tracking for unknown purposes.
+};
+
+## Statistics of all regular expression matchers.
+##
 ## .. bro:see:: get_matcher_stats
-type matcher_stats: record {
-	matchers: count;	##< Number of distinct RE matchers.
-	dfa_states: count;	##< Number of DFA states across all matchers.
-	computed: count;	##< Number of computed DFA state transitions.
-	mem: count;		##< Number of bytes used by DFA states.
-	hits: count;		##< Number of cache hits.
-	misses: count;		##< Number of cache misses.
-	avg_nfa_states: count;	##< Average number of NFA states across all matchers.
+type MatcherStats: record {
+	matchers: count;    ##< Number of distinct RE matchers.
+	nfa_states: count;  ##< Number of NFA states across all matchers.
+	dfa_states: count;  ##< Number of DFA states across all matchers.
+	computed: count;    ##< Number of computed DFA state transitions.
+	mem: count;         ##< Number of bytes used by DFA states.
+	hits: count;        ##< Number of cache hits.
+	misses: count;      ##< Number of cache misses.
+};
+
+## Statistics of timers.
+##
+## .. bro:see:: get_timer_stats
+type TimerStats: record {
+	current:    count; ##< Current number of pending timers.
+	max:        count; ##< Maximum number of concurrent timers pending so far.
+	cumulative: count; ##< Cumulative number of timers scheduled.
+};
+
+## Statistics of file analysis.
+##
+## .. bro:see:: get_file_analysis_stats
+type FileAnalysisStats: record {
+	current:    count; ##< Current number of files being analyzed.
+	max:        count; ##< Maximum number of concurrent files so far.
+	cumulative: count; ##< Cumulative number of files analyzed.
+};
+
+## Statistics related to Bro's active use of DNS.  These numbers are
+## about Bro performing DNS queries on it's own, not traffic
+## being seen.
+##
+## .. bro:see:: get_dns_stats
+type DNSStats: record {
+	requests:         count; ##< Number of DNS requests made
+	successful:       count; ##< Number of successful DNS replies.
+	failed:           count; ##< Number of DNS reply failures.
+	pending:          count; ##< Current pending queries.
+	cached_hosts:     count; ##< Number of cached hosts.
+	cached_addresses: count; ##< Number of cached addresses.
 };
 
 ## Statistics about number of gaps in TCP connections.
 ##
-## .. bro:see:: gap_report get_gap_summary
-type gap_info: record {
-	ack_events: count;	##< How many ack events *could* have had gaps.
-	ack_bytes: count;	##< How many bytes those covered.
-	gap_events: count;	##< How many *did* have gaps.
-	gap_bytes: count;	##< How many bytes were missing in the gaps.
+## .. bro:see:: get_gap_stats
+type GapStats: record {
+	ack_events: count;  ##< How many ack events *could* have had gaps.
+	ack_bytes: count;   ##< How many bytes those covered.
+	gap_events: count;  ##< How many *did* have gaps.
+	gap_bytes: count;   ##< How many bytes were missing in the gaps.
+};
+
+## Statistics about threads.
+##
+## .. bro:see:: get_thread_stats
+type ThreadStats: record {
+	num_threads: count;
 };
 
 ## Deprecated.
@@ -774,71 +858,6 @@ type entropy_test_result: record {
 	serial_correlation: double;	##< Serial correlation coefficient.
 };
 
-# Prototypes of Bro built-in functions.
-@load base/bif/strings.bif
-@load base/bif/bro.bif
-@load base/bif/reporter.bif
-
-## Deprecated. This is superseded by the new logging framework.
-global log_file_name: function(tag: string): string &redef;
-
-## Deprecated. This is superseded by the new logging framework.
-global open_log_file: function(tag: string): file &redef;
-
-## Specifies a directory for Bro to store its persistent state. All globals can
-## be declared persistent via the :bro:attr:`&persistent` attribute.
-const state_dir = ".state" &redef;
-
-## Length of the delays inserted when storing state incrementally. To avoid
-## dropping packets when serializing larger volumes of persistent state to
-## disk, Bro interleaves the operation with continued packet processing.
-const state_write_delay = 0.01 secs &redef;
-
-global done_with_network = F;
-event net_done(t: time) { done_with_network = T; }
-
-function log_file_name(tag: string): string
-	{
-	local suffix = getenv("BRO_LOG_SUFFIX") == "" ? "log" : getenv("BRO_LOG_SUFFIX");
-	return fmt("%s.%s", tag, suffix);
-	}
-
-function open_log_file(tag: string): file
-	{
-	return open(log_file_name(tag));
-	}
-
-## Internal function.
-function add_interface(iold: string, inew: string): string
-	{
-	if ( iold == "" )
-		return inew;
-	else
-		return fmt("%s %s", iold, inew);
-	}
-
-## Network interfaces to listen on. Use ``redef interfaces += "eth0"`` to
-## extend.
-global interfaces = "" &add_func = add_interface;
-
-## Internal function.
-function add_signature_file(sold: string, snew: string): string
-	{
-	if ( sold == "" )
-		return snew;
-	else
-		return cat(sold, " ", snew);
-	}
-
-## Signature files to read. Use ``redef signature_files  += "foo.sig"`` to
-## extend. Signature files added this way will be searched relative to
-## ``BROPATH``.  Using the ``@load-sigs`` directive instead is preferred
-## since that can search paths relative to the current script.
-global signature_files = "" &add_func = add_signature_file;
-
-## ``p0f`` fingerprint file to use. Will be searched relative to ``BROPATH``.
-const passive_fingerprint_file = "base/misc/p0f.fp" &redef;
-
 # TCP values for :bro:see:`endpoint` *state* field.
 # todo:: these should go into an enum to make them autodoc'able.
 const TCP_INACTIVE = 0;	##< Endpoint is still inactive.
@@ -1749,6 +1768,71 @@ type gtp_delete_pdp_ctx_response_elements: record {
 	ext:   gtp_private_extension &optional;
 };
 
+# Prototypes of Bro built-in functions.
+@load base/bif/strings.bif
+@load base/bif/bro.bif
+@load base/bif/reporter.bif
+
+## Deprecated. This is superseded by the new logging framework.
+global log_file_name: function(tag: string): string &redef;
+
+## Deprecated. This is superseded by the new logging framework.
+global open_log_file: function(tag: string): file &redef;
+
+## Specifies a directory for Bro to store its persistent state. All globals can
+## be declared persistent via the :bro:attr:`&persistent` attribute.
+const state_dir = ".state" &redef;
+
+## Length of the delays inserted when storing state incrementally. To avoid
+## dropping packets when serializing larger volumes of persistent state to
+## disk, Bro interleaves the operation with continued packet processing.
+const state_write_delay = 0.01 secs &redef;
+
+global done_with_network = F;
+event net_done(t: time) { done_with_network = T; }
+
+function log_file_name(tag: string): string
+	{
+	local suffix = getenv("BRO_LOG_SUFFIX") == "" ? "log" : getenv("BRO_LOG_SUFFIX");
+	return fmt("%s.%s", tag, suffix);
+	}
+
+function open_log_file(tag: string): file
+	{
+	return open(log_file_name(tag));
+	}
+
+## Internal function.
+function add_interface(iold: string, inew: string): string
+	{
+	if ( iold == "" )
+		return inew;
+	else
+		return fmt("%s %s", iold, inew);
+	}
+
+## Network interfaces to listen on. Use ``redef interfaces += "eth0"`` to
+## extend.
+global interfaces = "" &add_func = add_interface;
+
+## Internal function.
+function add_signature_file(sold: string, snew: string): string
+	{
+	if ( sold == "" )
+		return snew;
+	else
+		return cat(sold, " ", snew);
+	}
+
+## Signature files to read. Use ``redef signature_files  += "foo.sig"`` to
+## extend. Signature files added this way will be searched relative to
+## ``BROPATH``.  Using the ``@load-sigs`` directive instead is preferred
+## since that can search paths relative to the current script.
+global signature_files = "" &add_func = add_signature_file;
+
+## ``p0f`` fingerprint file to use. Will be searched relative to ``BROPATH``.
+const passive_fingerprint_file = "base/misc/p0f.fp" &redef;
+
 ## Definition of "secondary filters". A secondary filter is a BPF filter given
 ## as index in this table. For each such filter, the corresponding event is
 ## raised for all matching packets.
@@ -3416,23 +3500,17 @@ global pkt_profile_file: file &redef;
 ## .. bro:see:: load_sample
 global load_sample_freq = 20 &redef;
 
-## Rate at which to generate :bro:see:`gap_report` events assessing to what
-## degree the measurement process appears to exhibit loss.
-##
-## .. bro:see:: gap_report
-const gap_report_freq = 1.0 sec &redef;
-
 ## Whether to attempt to automatically detect SYN/FIN/RST-filtered trace
 ## and not report missing segments for such connections.
 ## If this is enabled, then missing data at the end of connections may not
 ## be reported via :bro:see:`content_gap`.
 const detect_filtered_trace = F &redef;
 
-## Whether we want :bro:see:`content_gap` and :bro:see:`gap_report` for partial
+## Whether we want :bro:see:`content_gap` and :bro:see:`get_gap_summary` for partial
 ## connections. A connection is partial if it is missing a full handshake. Note
 ## that gap reports for partial connections might not be reliable.
 ##
-## .. bro:see:: content_gap gap_report partial_connection
+## .. bro:see:: content_gap get_gap_summary partial_connection
 const report_gaps_for_partial = F &redef;
 
 ## Flag to prevent Bro from exiting automatically when input is exhausted.
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 5926663535..05f19235f9 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -13,6 +13,7 @@
 @load base/utils/email
 @load base/utils/exec
 @load base/utils/files
+@load base/utils/geoip-distance
 @load base/utils/numbers
 @load base/utils/paths
 @load base/utils/patterns
@@ -38,6 +39,8 @@
 @load base/frameworks/reporter
 @load base/frameworks/sumstats
 @load base/frameworks/tunnels
+@load base/frameworks/openflow
+@load base/frameworks/netcontrol
 
 @load base/protocols/conn
 @load base/protocols/dhcp
@@ -45,6 +48,7 @@
 @load base/protocols/dns
 @load base/protocols/ftp
 @load base/protocols/http
+@load base/protocols/imap
 @load base/protocols/irc
 @load base/protocols/krb
 @load base/protocols/modbus
@@ -52,6 +56,7 @@
 @load base/protocols/pop3
 @load base/protocols/radius
 @load base/protocols/rdp
+@load base/protocols/rfb
 @load base/protocols/sip
 @load base/protocols/snmp
 @load base/protocols/smtp
@@ -60,6 +65,7 @@
 @load base/protocols/ssl
 @load base/protocols/syslog
 @load base/protocols/tunnels
+@load base/protocols/xmpp
 
 @load base/files/pe
 @load base/files/hash
diff --git a/scripts/base/misc/find-checksum-offloading.bro b/scripts/base/misc/find-checksum-offloading.bro
index fae017fff1..334cf4a2db 100644
--- a/scripts/base/misc/find-checksum-offloading.bro
+++ b/scripts/base/misc/find-checksum-offloading.bro
@@ -26,7 +26,7 @@ event ChecksumOffloading::check()
 	if ( done )
 		return;
 
-	local pkts_recvd = net_stats()$pkts_recvd;
+	local pkts_recvd = get_net_stats()$pkts_recvd;
 	local bad_ip_checksum_pct = (pkts_recvd != 0) ? (bad_ip_checksums*1.0 / pkts_recvd*1.0) : 0;
 	local bad_tcp_checksum_pct = (pkts_recvd != 0) ? (bad_tcp_checksums*1.0 / pkts_recvd*1.0) : 0;
 	local bad_udp_checksum_pct = (pkts_recvd != 0) ? (bad_udp_checksums*1.0 / pkts_recvd*1.0) : 0;
diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro
index 015c5520db..c6eef5d2d5 100644
--- a/scripts/base/protocols/conn/main.bro
+++ b/scripts/base/protocols/conn/main.bro
@@ -47,7 +47,7 @@ export {
 		## S2           Connection established and close attempt by originator seen (but no reply from responder).
 		## S3           Connection established and close attempt by responder seen (but no reply from originator).
 		## RSTO         Connection established, originator aborted (sent a RST).
-		## RSTR         Established, responder aborted.
+		## RSTR         Responder sent a RST.
 		## RSTOS0       Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.
 		## RSTRH        Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.
 		## SH           Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).
diff --git a/scripts/base/protocols/dns/consts.bro b/scripts/base/protocols/dns/consts.bro
index 13af6c3e81..026588f777 100644
--- a/scripts/base/protocols/dns/consts.bro
+++ b/scripts/base/protocols/dns/consts.bro
@@ -26,6 +26,7 @@ export {
 		[49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID",
 		[102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG",
 		[251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA",
+		[257] = "CAA",
 		[32768] = "TA", [32769] = "DLV",
 		[ANY] = "*",
 	} &default = function(n: count): string { return fmt("query-%d", n); };
diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index 58a63293d0..5827449946 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -26,6 +26,10 @@ export {
 		## the DNS query.  Also used in responses to match up replies to
 		## outstanding queries.
 		trans_id:      count              &log &optional;
+		## Round trip time for the query and response. This indicates 
+		## the delay between when the request was seen until the 
+		## answer started.
+		rtt:           interval           &log &optional;
 		## The domain name that is the subject of the DNS query.
 		query:         string             &log &optional;
 		## The QCLASS value specifying the class of the query.
@@ -52,7 +56,7 @@ export {
 		## The Recursion Available bit in a response message indicates
 		## that the name server supports recursive queries.
 		RA:            bool               &log &default=F;
-		## A reserved field that is currently supposed to be zero in all
+		## A reserved field that is usually zero in
 		## queries and responses.
 		Z:             count              &log &default=0;
 		## The set of resource descriptions in the query answer.
@@ -311,6 +315,16 @@ hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 		c$dns$AA    = msg$AA;
 		c$dns$RA    = msg$RA;
 
+		if ( ! c$dns?$rtt )
+			{
+			c$dns$rtt = network_time() - c$dns$ts;
+			# This could mean that only a reply was seen since 
+			# we assume there must be some passage of time between
+			# request and response.
+			if ( c$dns$rtt == 0secs )
+				delete c$dns$rtt;
+			}
+
 		if ( reply != "" )
 			{
 			if ( ! c$dns?$answers )
diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro
index f98e33b315..8a24a9d92f 100644
--- a/scripts/base/protocols/ftp/main.bro
+++ b/scripts/base/protocols/ftp/main.bro
@@ -213,7 +213,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 		#       on a different file could be checked, but the file size will
 		#       be overwritten by the server response to the RETR command
 		#       if that's given as well which would be more correct.
-		c$ftp$file_size = extract_count(msg);
+		c$ftp$file_size = extract_count(msg, F);
 		}
 
 	# PASV and EPSV processing
@@ -241,10 +241,10 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 	if ( [c$ftp$cmdarg$cmd, code] in directory_cmds )
 		{
 		if ( c$ftp$cmdarg$cmd == "CWD" )
-			c$ftp$cwd = build_path(c$ftp$cwd, c$ftp$cmdarg$arg);
+			c$ftp$cwd = build_path_compressed(c$ftp$cwd, c$ftp$cmdarg$arg);
 
 		else if ( c$ftp$cmdarg$cmd == "CDUP" )
-			c$ftp$cwd = cat(c$ftp$cwd, "/..");
+			c$ftp$cwd = build_path_compressed(c$ftp$cwd, "/..");
 
 		else if ( c$ftp$cmdarg$cmd == "PWD" || c$ftp$cmdarg$cmd == "XPWD" )
 			c$ftp$cwd = extract_path(msg);
diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.bro
index b14b4d84b8..d44147d2fc 100644
--- a/scripts/base/protocols/http/entities.bro
+++ b/scripts/base/protocols/http/entities.bro
@@ -17,12 +17,18 @@ export {
 		## An ordered vector of file unique IDs.
 		orig_fuids:      vector of string &log &optional;
 
+		## An order vector of filenames from the client.
+		orig_filenames:  vector of string &log &optional;
+
 		## An ordered vector of mime types.
 		orig_mime_types: vector of string &log &optional;
 
 		## An ordered vector of file unique IDs.
 		resp_fuids:      vector of string &log &optional;
 
+		## An order vector of filenames from the server.
+		resp_filenames:  vector of string &log &optional;
+
 		## An ordered vector of mime types.
 		resp_mime_types: vector of string &log &optional;
 
@@ -82,13 +88,31 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 				c$http$orig_fuids = string_vec(f$id);
 			else
 				c$http$orig_fuids[|c$http$orig_fuids|] = f$id;
+
+			if ( f$info?$filename )
+				{
+				if ( ! c$http?$orig_filenames )
+					c$http$orig_filenames = string_vec(f$info$filename);
+				else
+					c$http$orig_filenames[|c$http$orig_filenames|] = f$info$filename;
+				}
 			}
+
 		else
 			{
 			if ( ! c$http?$resp_fuids )
 				c$http$resp_fuids = string_vec(f$id);
 			else
 				c$http$resp_fuids[|c$http$resp_fuids|] = f$id;
+
+			if ( f$info?$filename )
+				{
+				if ( ! c$http?$resp_filenames )
+					c$http$resp_filenames = string_vec(f$info$filename);
+				else
+					c$http$resp_filenames[|c$http$resp_filenames|] = f$info$filename;
+				}
+
 			}
 		}
 	}
diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro
index e70d166f11..51a89a33b9 100644
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@@ -21,6 +21,7 @@ export {
 	## not.
 	const default_capture_password = F &redef;
 
+	## The record type which contains the fields of the HTTP log.
 	type Info: record {
 		## Timestamp for when the request happened.
 		ts:                      time      &log;
@@ -59,9 +60,6 @@ export {
 		info_code:               count     &log &optional;
 		## Last seen 1xx informational reply message returned by the server.
 		info_msg:                string    &log &optional;
-		## Filename given in the Content-Disposition header sent by the
-		## server.
-		filename:                string    &log &optional;
 		## A set of indicators of various attributes discovered and
 		## related to a particular request/response pair.
 		tags:                    set[Tags] &log;
diff --git a/scripts/base/protocols/imap/README b/scripts/base/protocols/imap/README
new file mode 100644
index 0000000000..ba96748489
--- /dev/null
+++ b/scripts/base/protocols/imap/README
@@ -0,0 +1,5 @@
+Support for the Internet Message Access Protocol (IMAP).
+
+Note that currently the IMAP analyzer only supports analyzing IMAP sessions
+until they do or do not switch to TLS using StartTLS. Hence, we do not get
+mails from IMAP sessions, only X509 certificates.
diff --git a/scripts/base/protocols/imap/__load__.bro b/scripts/base/protocols/imap/__load__.bro
new file mode 100644
index 0000000000..aa3a41ef5e
--- /dev/null
+++ b/scripts/base/protocols/imap/__load__.bro
@@ -0,0 +1,2 @@
+@load ./main
+
diff --git a/scripts/base/protocols/imap/main.bro b/scripts/base/protocols/imap/main.bro
new file mode 100644
index 0000000000..9f0305c80c
--- /dev/null
+++ b/scripts/base/protocols/imap/main.bro
@@ -0,0 +1,11 @@
+
+module IMAP;
+
+const ports = { 143/tcp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, ports);
+	}
+
diff --git a/scripts/base/protocols/rfb/README b/scripts/base/protocols/rfb/README
new file mode 100644
index 0000000000..afe67958a2
--- /dev/null
+++ b/scripts/base/protocols/rfb/README
@@ -0,0 +1 @@
+Support for Remote FrameBuffer analysis.  This includes all VNC servers.
\ No newline at end of file
diff --git a/scripts/base/protocols/rfb/__load__.bro b/scripts/base/protocols/rfb/__load__.bro
new file mode 100644
index 0000000000..9e43682d13
--- /dev/null
+++ b/scripts/base/protocols/rfb/__load__.bro
@@ -0,0 +1,3 @@
+# Generated by binpac_quickstart
+@load ./main
+@load-sigs ./dpd.sig
\ No newline at end of file
diff --git a/scripts/base/protocols/rfb/dpd.sig b/scripts/base/protocols/rfb/dpd.sig
new file mode 100644
index 0000000000..40793ad590
--- /dev/null
+++ b/scripts/base/protocols/rfb/dpd.sig
@@ -0,0 +1,12 @@
+signature dpd_rfb_server {
+	ip-proto == tcp
+	payload /^RFB/
+	requires-reverse-signature dpd_rfb_client
+	enable "rfb"
+}
+
+signature dpd_rfb_client {
+	ip-proto == tcp
+	payload /^RFB/
+	tcp-state originator
+}
\ No newline at end of file
diff --git a/scripts/base/protocols/rfb/main.bro b/scripts/base/protocols/rfb/main.bro
new file mode 100644
index 0000000000..3bcb86890b
--- /dev/null
+++ b/scripts/base/protocols/rfb/main.bro
@@ -0,0 +1,165 @@
+module RFB;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	## The record type which contains the fields of the RFB log.
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts:     time    &log;
+		## Unique ID for the connection.
+		uid:    string  &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:     conn_id &log;
+
+		## Major version of the client.
+		client_major_version: string &log &optional;
+		## Minor version of the client.
+		client_minor_version: string &log &optional;
+		## Major version of the server.
+		server_major_version: string &log &optional;
+		## Major version of the client.
+		server_minor_version: string &log &optional;
+
+		## Identifier of authentication method used.
+		authentication_method: string &log &optional;
+		## Whether or not authentication was succesful.
+		auth: bool &log &optional;
+
+		## Whether the client has an exclusive or a shared session.
+		share_flag: bool &log &optional;
+		## Name of the screen that is being shared.
+		desktop_name: string &log &optional;
+		## Width of the screen that is being shared.
+		width: count &log &optional;
+		## Height of the screen that is being shared.
+		height: count &log &optional;
+
+		## Internally used value to determine if this connection
+		## has already been logged.
+		done: bool  &default=F;
+	};
+
+	global log_rfb: event(rec: Info);
+}
+
+function friendly_auth_name(auth: count): string
+	{
+	switch (auth) {
+		case 0:
+			return "Invalid";
+		case 1:
+			return "None";
+		case 2:
+			return "VNC";
+		case 16:
+			return "Tight";
+		case 17:
+			return "Ultra";
+		case 18:
+			return "TLS";
+		case 19:
+			return "VeNCrypt";
+		case 20:
+			return "GTK-VNC SASL";
+		case 21:
+			return "MD5 hash authentication";
+		case 22:
+			return "Colin Dean xvp";
+		case 30:
+			return "Apple Remote Desktop";
+	}
+	return "RealVNC";
+}
+
+redef record connection += {
+	rfb: Info &optional;
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]);
+	}
+
+function write_log(c:connection)
+	{
+	local state = c$rfb;
+	if ( state$done )
+		{
+		return;
+		}
+
+	Log::write(RFB::LOG, c$rfb);
+	c$rfb$done = T;
+	}
+
+function set_session(c: connection)
+	{
+	if ( ! c?$rfb )
+		{
+		local info: Info;
+		info$ts  = network_time();
+		info$uid = c$uid;
+		info$id  = c$id;
+
+		c$rfb = info;
+		}
+	}
+
+event rfb_event(c: connection) &priority=5
+	{
+	set_session(c);
+	}
+
+event rfb_client_version(c: connection, major_version: string, minor_version: string) &priority=5
+	{
+	set_session(c);
+	c$rfb$client_major_version = major_version;
+	c$rfb$client_minor_version = minor_version;
+	}
+
+event rfb_server_version(c: connection, major_version: string, minor_version: string) &priority=5
+	{
+	set_session(c);
+	c$rfb$server_major_version = major_version;
+	c$rfb$server_minor_version = minor_version;
+	}
+
+event rfb_authentication_type(c: connection, authtype: count) &priority=5
+	{
+	set_session(c);
+
+	c$rfb$authentication_method = friendly_auth_name(authtype);
+	}
+
+event rfb_server_parameters(c: connection, name: string, width: count, height: count) &priority=5
+	{
+	set_session(c);
+
+	c$rfb$desktop_name = name;
+	c$rfb$width = width;
+	c$rfb$height = height;
+	}
+
+event rfb_server_parameters(c: connection, name: string, width: count, height: count) &priority=-5
+	{
+	write_log(c);
+	}
+
+event rfb_auth_result(c: connection, result: bool) &priority=5
+	{
+	c$rfb$auth = !result;
+	}
+
+event rfb_share_flag(c: connection, flag: bool) &priority=5
+	{
+	c$rfb$share_flag = flag;
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$rfb )
+		{
+		write_log(c);
+		}
+	}
diff --git a/scripts/base/protocols/sip/main.bro b/scripts/base/protocols/sip/main.bro
index dbe3c54800..f629049928 100644
--- a/scripts/base/protocols/sip/main.bro
+++ b/scripts/base/protocols/sip/main.bro
@@ -10,6 +10,7 @@ module SIP;
 export {
 	redef enum Log::ID += { LOG };
 
+	## The record type which contains the fields of the SIP log.
 	type Info: record {
 		## Timestamp for when the request happened.
 		ts:                      time              &log;
@@ -80,7 +81,7 @@ export {
 	## that the SIP analyzer will only accept methods consisting solely
 	## of letters ``[A-Za-z]``.
 	const sip_methods: set[string] = {
-		"REGISTER", "INVITE", "ACK", "CANCEL", "BYE", "OPTIONS", "NOTIFY"
+		"REGISTER", "INVITE", "ACK", "CANCEL", "BYE", "OPTIONS", "NOTIFY", "SUBSCRIBE"
 	} &redef;
 
 	## Event that can be handled to access the SIP record as it is sent on
@@ -153,7 +154,7 @@ function flush_pending(c: connection)
 			# We don't use pending elements at index 0.
 			if ( r == 0 )
 				next;
-			
+
 			Log::write(SIP::LOG, c$sip_state$pending[r]);
 			}
 		}
diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro
index 2042a1ba16..bfd8ad02ac 100644
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@@ -8,6 +8,7 @@ module SMTP;
 export {
 	redef enum Log::ID += { LOG };
 
+	## The record type which contains the fields of the SMTP log.
 	type Info: record {
 		## Time when the message was first seen.
 		ts:                time            &log;
diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro
index c63092f609..536e240b81 100644
--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@@ -6,6 +6,7 @@ module SOCKS;
 export {
 	redef enum Log::ID += { LOG };
 
+	## The record type which contains the fields of the SOCKS log.
 	type Info: record {
 		## Time when the proxy connection was first detected.
 		ts:          time            &log;
@@ -86,14 +87,6 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres
 	c$socks$bound_p = p;
 	}
 
-event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=-5
-	{
-	# This will handle the case where the analyzer failed in some way and was removed.  We probably 
-	# don't want to log these connections.
-	if ( "SOCKS" in c$service )
-		Log::write(SOCKS::LOG, c$socks);
-	}
-
 event socks_login_userpass_request(c: connection, user: string, password: string) &priority=5
 	{
 	# Authentication only possible with the version 5.
@@ -111,3 +104,10 @@ event socks_login_userpass_reply(c: connection, code: count) &priority=5
 	c$socks$status = v5_status[code];
 	}
 
+event connection_state_remove(c: connection)
+	{
+	# This will handle the case where the analyzer failed in some way and was
+	# removed.  We probably  don't want to log these connections.
+	if ( "SOCKS" in c$service )
+		Log::write(SOCKS::LOG, c$socks);
+	}
diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro
index d9e1e2b3cf..d547e92e8f 100644
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@@ -8,6 +8,7 @@ export {
 	## The SSH protocol logging stream identifier.
 	redef enum Log::ID += { LOG };
 
+	## The record type which contains the fields of the SSH log.
 	type Info: record {
 		## Time when the SSH connection began.
 		ts:              time         &log;
@@ -46,11 +47,10 @@ export {
 	## authentication success or failure when compression is enabled.
 	const compression_algorithms = set("zlib", "zlib@openssh.com") &redef;
 
-	## If true, we tell the event engine to not look at further data
-	## packets after the initial SSH handshake. Helps with performance
-	## (especially with large file transfers) but precludes some
-	## kinds of analyses. Defaults to T.
-	const skip_processing_after_detection = T &redef;
+	## If true, after detection detach the SSH analyzer from the connection
+	## to prevent continuing to process encrypted traffic. Helps with performance
+	## (especially with large file transfers).
+	const disable_analyzer_after_detection = T &redef;
 
 	## Event that can be handled to access the SSH record as it is sent on
 	## to the logging framework.
@@ -70,6 +70,8 @@ redef record Info += {
 	# Store capabilities from the first host for
 	# comparison with the second (internal use)
 	capabilities: Capabilities &optional;
+	## Analzyer ID
+	analyzer_id: count         &optional;
 };
 
 redef record connection += {
@@ -130,11 +132,8 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
 
 	c$ssh$auth_success = T;
 
-	if ( skip_processing_after_detection)
-		{
-		skip_further_processing(c$id);
-		set_record_packets(c$id, F);
-		}
+	if ( disable_analyzer_after_detection )
+		disable_analyzer(c$id, c$ssh$analyzer_id);
 	}
 
 event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
@@ -179,7 +178,7 @@ function find_bidirectional_alg(client_prefs: Algorithm_Prefs, server_prefs: Alg
 	# Usually these are the same, but if they're not, return the details
 	return c_to_s == s_to_c ? c_to_s : fmt("To server: %s, to client: %s", c_to_s, s_to_c);
 	}
-	
+
 event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities)
 	{
 	if ( !c?$ssh || ( c$ssh?$capabilities && c$ssh$capabilities$is_server == capabilities$is_server ) )
@@ -233,3 +232,12 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5
 	{
 	generate_fingerprint(c, key);
 	}
+
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
+	{
+		if ( atype == Analyzer::ANALYZER_SSH )
+		{
+		set_session(c);
+		c$ssh$analyzer_id = aid;
+		}
+	}
diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 7a95d63cc6..35cfc7681d 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -109,7 +109,7 @@ export {
 		[7] = "client_authz",
 		[8] = "server_authz",
 		[9] = "cert_type",
-		[10] = "elliptic_curves",
+		[10] = "elliptic_curves", # new name: supported_groups - draft-ietf-tls-negotiated-ff-dhe
 		[11] = "ec_point_formats",
 		[12] = "srp",
 		[13] = "signature_algorithms",
@@ -120,9 +120,10 @@ export {
 		[18] = "signed_certificate_timestamp",
 		[19] = "client_certificate_type",
 		[20] = "server_certificate_type",
-		[21] = "padding", # temporary till 2016-03-12
+		[21] = "padding",
 		[22] = "encrypt_then_mac",
 		[23] = "extended_master_secret",
+		[24] = "token_binding", # temporary till 2017-02-04 - draft-ietf-tokbind-negotiation
 		[35] = "SessionTicket TLS",
 		[40] = "extended_random",
 		[13172] = "next_protocol_negotiation",
@@ -165,7 +166,10 @@ export {
 		[26] = "brainpoolP256r1",
 		[27] = "brainpoolP384r1",
 		[28] = "brainpoolP512r1",
-		# draft-ietf-tls-negotiated-ff-dhe-05
+		# Temporary till 2017-03-01 - draft-ietf-tls-rfc4492bis
+		[29] = "ecdh_x25519",
+		[30] = "ecdh_x448",
+		# draft-ietf-tls-negotiated-ff-dhe-10
 		[256] = "ffdhe2048",
 		[257] = "ffdhe3072",
 		[258] = "ffdhe4096",
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 8483f473f4..4c61df916a 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -8,6 +8,7 @@ module SSL;
 export {
 	redef enum Log::ID += { LOG };
 
+	## The record type which contains the fields of the SSL log.
 	type Info: record {
 		## Time when the SSL connection was first detected.
 		ts:               time             &log;
diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro
index 593c8ab9a2..6e74760225 100644
--- a/scripts/base/protocols/syslog/main.bro
+++ b/scripts/base/protocols/syslog/main.bro
@@ -7,7 +7,8 @@ module Syslog;
 
 export {
 	redef enum Log::ID += { LOG };
-	
+
+	## The record type which contains the fields of the syslog log.
 	type Info: record {
 		## Timestamp when the syslog message was seen.
 		ts:        time            &log;
diff --git a/scripts/base/protocols/xmpp/README b/scripts/base/protocols/xmpp/README
new file mode 100644
index 0000000000..3d2194ef3d
--- /dev/null
+++ b/scripts/base/protocols/xmpp/README
@@ -0,0 +1,5 @@
+Support for the Extensible Messaging and Presence Protocol (XMPP).
+
+Note that currently the XMPP analyzer only supports analyzing XMPP sessions
+until they do or do not switch to TLS using StartTLS. Hence, we do not get
+actual chat information from XMPP sessions, only X509 certificates.
diff --git a/scripts/base/protocols/xmpp/__load__.bro b/scripts/base/protocols/xmpp/__load__.bro
new file mode 100644
index 0000000000..0f41578f8a
--- /dev/null
+++ b/scripts/base/protocols/xmpp/__load__.bro
@@ -0,0 +1,3 @@
+@load ./main
+
+@load-sigs ./dpd.sig
diff --git a/scripts/base/protocols/xmpp/dpd.sig b/scripts/base/protocols/xmpp/dpd.sig
new file mode 100644
index 0000000000..50ae57a669
--- /dev/null
+++ b/scripts/base/protocols/xmpp/dpd.sig
@@ -0,0 +1,5 @@
+signature dpd_xmpp {
+	ip-proto == tcp
+	payload /^(<\?xml[^?>]*\?>)?[\n\r ]*<stream:stream [^>]*xmlns='jabber:/
+	enable "xmpp"
+}
diff --git a/scripts/base/protocols/xmpp/main.bro b/scripts/base/protocols/xmpp/main.bro
new file mode 100644
index 0000000000..3d7a4cbc37
--- /dev/null
+++ b/scripts/base/protocols/xmpp/main.bro
@@ -0,0 +1,11 @@
+
+module XMPP;
+
+const ports = { 5222/tcp, 5269/tcp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, ports);
+	}
+
diff --git a/scripts/base/utils/geoip-distance.bro b/scripts/base/utils/geoip-distance.bro
new file mode 100644
index 0000000000..3bcf93f828
--- /dev/null
+++ b/scripts/base/utils/geoip-distance.bro
@@ -0,0 +1,26 @@
+##! Functions to calculate distance between two locations, based on GeoIP data.
+
+## Returns the distance between two IP addresses using the haversine formula,
+## based on GeoIP database locations.  Requires Bro to be built with libgeoip.
+##
+## a1: First IP address.
+##
+## a2: Second IP address.
+##
+## Returns: The distance between *a1* and *a2* in miles, or -1.0 if GeoIP data
+##          is not available for either of the IP addresses.
+##
+## .. bro:see:: haversine_distance lookup_location
+function haversine_distance_ip(a1: addr, a2: addr): double
+	{
+	local loc1 = lookup_location(a1);
+	local loc2 = lookup_location(a2);
+	local miles: double;
+
+	if ( loc1?$latitude && loc1?$longitude && loc2?$latitude && loc2?$longitude )
+		miles = haversine_distance(loc1$latitude, loc1$longitude, loc2$latitude, loc2$longitude);
+	else
+		miles = -1.0;
+
+	return miles;
+	}
diff --git a/scripts/base/utils/json.bro b/scripts/base/utils/json.bro
new file mode 100644
index 0000000000..b6d0093b58
--- /dev/null
+++ b/scripts/base/utils/json.bro
@@ -0,0 +1,105 @@
+##! Functions to assist with generating JSON data from Bro data scructures.
+# We might want to implement this in core somtime, this looks... hacky at best.
+
+@load base/utils/strings
+
+## A function to convert arbitrary Bro data into a JSON string.
+##
+## v: The value to convert to JSON.  Typically a record.
+##
+## only_loggable: If the v value is a record this will only cause
+##                fields with the &log attribute to be included in the JSON.
+##
+## returns: a JSON formatted string.
+function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: pattern &default=/^_/): string
+	{
+	local tn = type_name(v);
+	switch ( tn )
+		{
+		case "type":
+		return "";
+
+		case "string":
+		return cat("\"", gsub(gsub(clean(v), /\\/, "\\\\"), /\"/, "\\\""), "\"");
+
+		case "port":
+		return cat(port_to_count(to_port(cat(v))));
+
+		case "addr":
+		fallthrough;
+		case "subnet":
+		return cat("\"", v, "\"");
+
+		case "int":
+		fallthrough;
+		case "count":
+		fallthrough;
+		case "time":
+		fallthrough;
+		case "double":
+		fallthrough;
+		case "bool":
+		fallthrough;
+		case "enum":
+		return cat(v);
+
+		default:
+		break;
+		}
+
+	if ( /^record/ in tn )
+		{
+		local rec_parts: string_vec = vector();
+
+		local ft = record_fields(v);
+		for ( field in ft )
+			{
+			local field_desc = ft[field];
+			# replace the escape pattern in the field.
+			if( field_escape_pattern in field )
+				field = cat(sub(field, field_escape_pattern, ""));
+			if ( field_desc?$value && (!only_loggable || field_desc$log) )
+				{
+				local onepart = cat("\"", field, "\": ", to_json(field_desc$value, only_loggable));
+				rec_parts[|rec_parts|] = onepart;
+				}
+			}
+			return cat("{", join_string_vec(rec_parts, ", "), "}");
+		}
+
+	# None of the following are supported.
+	else if ( /^set/ in tn )
+		{
+		local set_parts: string_vec = vector();
+		local sa: set[bool] = v;
+		for ( sv in sa )
+			{
+			set_parts[|set_parts|] = to_json(sv, only_loggable);
+			}
+		return cat("[", join_string_vec(set_parts, ", "), "]");
+		}
+	else if ( /^table/ in tn )
+		{
+		local tab_parts: vector of string = vector();
+		local ta: table[bool] of any = v;
+		for ( ti in ta )
+			{
+			local ts = to_json(ti);
+			local if_quotes = (ts[0] == "\"") ? "" : "\"";
+			tab_parts[|tab_parts|] = cat(if_quotes, ts, if_quotes, ": ", to_json(ta[ti], only_loggable));
+			}
+		return cat("{", join_string_vec(tab_parts, ", "), "}");
+		}
+	else if ( /^vector/ in tn )
+		{
+		local vec_parts: string_vec = vector();
+		local va: vector of any = v;
+		for ( vi in va )
+			{
+			vec_parts[|vec_parts|] = to_json(va[vi], only_loggable);
+			}
+		return cat("[", join_string_vec(vec_parts, ", "), "]");
+		}
+
+	return "\"\"";
+	}
diff --git a/scripts/base/utils/numbers.bro b/scripts/base/utils/numbers.bro
index da8c15d7a0..d2adb49ea2 100644
--- a/scripts/base/utils/numbers.bro
+++ b/scripts/base/utils/numbers.bro
@@ -1,10 +1,26 @@
-## Extract the first integer found in the given string.
-## If no integer can be found, 0 is returned.
-function extract_count(s: string): count
+
+## Extract an integer from a string.
+## 
+## s: The string to search for a number.
+## 
+## get_first: Provide `F` if you would like the last number found.
+##
+## Returns: The request integer from the given string or 0 if
+##          no integer was found.
+function extract_count(s: string, get_first: bool &default=T): count
 	{
-	local parts = split_string_n(s, /[0-9]+/, T, 1);
-	if ( 1 in parts )
-		return to_count(parts[1]);
+	local extract_num_pattern = /[0-9]+/;
+	if ( get_first )
+		{
+		local first_parts = split_string_n(s, extract_num_pattern, T, 1);
+		if ( 1 in first_parts )
+			return to_count(first_parts[1]);
+		}
 	else
-		return 0;
+		{
+		local last_parts = split_string_all(s, extract_num_pattern);
+		if ( |last_parts| > 1 )
+			return to_count(last_parts[|last_parts|-2]);
+		}
+	return 0;
 	}
diff --git a/scripts/policy/frameworks/control/controllee.bro b/scripts/policy/frameworks/control/controllee.bro
index b4769764f4..9646d100ab 100644
--- a/scripts/policy/frameworks/control/controllee.bro
+++ b/scripts/policy/frameworks/control/controllee.bro
@@ -28,13 +28,9 @@ event Control::peer_status_request()
 		local peer = Communication::nodes[p];
 		if ( ! peer$connected )
 			next;
-			
-		local res = resource_usage();
-		status += fmt("%.6f peer=%s host=%s events_in=%s events_out=%s ops_in=%s ops_out=%s bytes_in=? bytes_out=?\n",
-					network_time(),
-					peer$peer$descr, peer$host,
-					res$num_events_queued, res$num_events_dispatched,
-					res$blocking_input, res$blocking_output);
+
+		status += fmt("%.6f peer=%s host=%s\n",
+			      network_time(), peer$peer$descr, peer$host);
 		}
 
 	event Control::peer_status_response(status);
@@ -42,24 +38,24 @@ event Control::peer_status_request()
 
 event Control::net_stats_request()
 	{
-	local ns = net_stats();
-	local reply = fmt("%.6f recvd=%d dropped=%d link=%d\n", network_time(), 
+	local ns = get_net_stats();
+	local reply = fmt("%.6f recvd=%d dropped=%d link=%d\n", network_time(),
 	                  ns$pkts_recvd, ns$pkts_dropped, ns$pkts_link);
 	event Control::net_stats_response(reply);
 	}
-	
+
 event Control::configuration_update_request()
 	{
-	# Generate the alias event. 
+	# Generate the alias event.
 	event Control::configuration_update();
-	
+
 	# Don't need to do anything in particular here, it's just indicating that
 	# the configuration is going to be updated.  This event could be handled
-	# by other scripts if they need to do some ancilliary processing if 
+	# by other scripts if they need to do some ancilliary processing if
 	# redef-able consts are modified at runtime.
 	event Control::configuration_update_response();
 	}
-	
+
 event Control::shutdown_request()
 	{
 	# Send the acknowledgement event.
diff --git a/scripts/policy/frameworks/files/entropy-test-all-files.bro b/scripts/policy/frameworks/files/entropy-test-all-files.bro
new file mode 100644
index 0000000000..9c704211f8
--- /dev/null
+++ b/scripts/policy/frameworks/files/entropy-test-all-files.bro
@@ -0,0 +1,20 @@
+
+module Files;
+
+export {
+	redef record Files::Info += {
+		## The information density of the contents of the file, 
+		## expressed as a number of bits per character. 
+		entropy: double &log &optional;
+	};
+}
+
+event file_new(f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_ENTROPY);
+	}
+
+event file_entropy(f: fa_file, ent: entropy_test_result)
+	{
+	f$info$entropy = ent$entropy;
+	}
diff --git a/scripts/policy/frameworks/intel/seen/ssl.bro b/scripts/policy/frameworks/intel/seen/ssl.bro
index 7bfbef4e9b..89aebc1891 100644
--- a/scripts/policy/frameworks/intel/seen/ssl.bro
+++ b/scripts/policy/frameworks/intel/seen/ssl.bro
@@ -20,6 +20,7 @@ event ssl_established(c: connection)
 	if ( c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$cn )
 		Intel::seen([$indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
 			$indicator_type=Intel::DOMAIN,
+			$fuid=c$ssl$cert_chain_fuids[0],
 			$conn=c,
 			$where=X509::IN_CERT]);
 	}
diff --git a/scripts/policy/frameworks/intel/seen/x509.bro b/scripts/policy/frameworks/intel/seen/x509.bro
index 3a2859b6d5..9dcbc3edb9 100644
--- a/scripts/policy/frameworks/intel/seen/x509.bro
+++ b/scripts/policy/frameworks/intel/seen/x509.bro
@@ -26,3 +26,14 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
 			     $where=X509::IN_CERT]);
 		}
 	}
+
+event file_hash(f: fa_file, kind: string, hash: string)
+	{
+	if ( ! f?$info || ! f$info?$x509 || kind != "sha1" )
+		return;
+
+	Intel::seen([$indicator=hash,
+	             $indicator_type=Intel::CERT_HASH,
+	             $f=f,
+	             $where=X509::IN_CERT]);
+	}
diff --git a/scripts/policy/misc/capture-loss.bro b/scripts/policy/misc/capture-loss.bro
index 28f468a1c8..648e3d6717 100644
--- a/scripts/policy/misc/capture-loss.bro
+++ b/scripts/policy/misc/capture-loss.bro
@@ -56,7 +56,7 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps:
 		}
 	
 	local now = network_time();
-	local g = get_gap_summary();
+	local g = get_gap_stats();
 	local acks = g$ack_events - last_acks;
 	local gaps = g$gap_events - last_gaps;
 	local pct_lost = (acks == 0) ? 0.0 : (100 * (1.0 * gaps) / (1.0 * acks));
diff --git a/scripts/policy/misc/stats.bro b/scripts/policy/misc/stats.bro
index 215a3bb9de..4dee0d4128 100644
--- a/scripts/policy/misc/stats.bro
+++ b/scripts/policy/misc/stats.bro
@@ -1,6 +1,4 @@
-##! Log memory/packet/lag statistics.  Differs from
-##! :doc:`/scripts/policy/misc/profiling.bro` in that this
-##! is lighter-weight (much less info, and less load to generate).
+##! Log memory/packet/lag statistics.
 
 @load base/frameworks/notice
 
@@ -10,7 +8,7 @@ export {
 	redef enum Log::ID += { LOG };
 
 	## How often stats are reported.
-	const stats_report_interval = 1min &redef;
+	const report_interval = 5min &redef;
 
 	type Info: record {
 		## Timestamp for the measurement.
@@ -21,27 +19,63 @@ export {
 		mem:           count     &log;
 		## Number of packets processed since the last stats interval.
 		pkts_proc:     count     &log;
-		## Number of events processed since the last stats interval.
-		events_proc:   count     &log;
-		## Number of events that have been queued since the last stats
-		## interval.
-		events_queued: count     &log;
-
-		## Lag between the wall clock and packet timestamps if reading
-		## live traffic.
-		lag:           interval  &log &optional;
-		## Number of packets received since the last stats interval if
+		## Number of bytes received since the last stats interval if
 		## reading live traffic.
-		pkts_recv:     count     &log &optional;
+		bytes_recv:    count     &log;
+
 		## Number of packets dropped since the last stats interval if
 		## reading live traffic.
 		pkts_dropped:  count     &log &optional;
 		## Number of packets seen on the link since the last stats
 		## interval if reading live traffic.
 		pkts_link:     count     &log &optional;
-		## Number of bytes received since the last stats interval if
-		## reading live traffic.
-		bytes_recv:   count     &log &optional;
+		## Lag between the wall clock and packet timestamps if reading
+		## live traffic.
+		pkt_lag:       interval  &log &optional;
+
+		## Number of events processed since the last stats interval.
+		events_proc:   count     &log;
+		## Number of events that have been queued since the last stats
+		## interval.
+		events_queued: count     &log;
+
+		## TCP connections currently in memory.
+		active_tcp_conns: count  &log;
+		## UDP connections currently in memory.
+		active_udp_conns: count &log;
+		## ICMP connections currently in memory.
+		active_icmp_conns: count &log;
+
+		## TCP connections seen since last stats interval.
+		tcp_conns:        count  &log;
+		## UDP connections seen since last stats interval.
+		udp_conns:        count &log;
+		## ICMP connections seen since last stats interval.
+		icmp_conns:        count &log;
+
+		## Number of timers scheduled since last stats interval.
+		timers: count &log;
+		## Current number of scheduled timers.
+		active_timers: count &log;
+
+		## Number of files seen since last stats interval.
+		files: count &log;
+		## Current number of files actively being seen.
+		active_files: count &log;
+
+		## Number of DNS requests seen since last stats interval.
+		dns_requests: count &log;
+		## Current number of DNS requests awaiting a reply.
+		active_dns_requests: count &log;
+
+		## Current size of TCP data in reassembly.
+		reassem_tcp_size: count &log;
+		## Current size of File data in reassembly.
+		reassem_file_size: count &log;
+		## Current size of packet fragment data in reassembly.
+		reassem_frag_size: count &log;
+		## Current size of unkown data in reassembly (this is only PIA buffer right now).
+		reassem_unknown_size: count &log;
 	};
 
 	## Event to catch stats as they are written to the logging stream.
@@ -53,38 +87,69 @@ event bro_init() &priority=5
 	Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats"]);
 	}
 
-event check_stats(last_ts: time, last_ns: NetStats, last_res: bro_resources)
+event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: ProcStats, last_es: EventStats, last_rs: ReassemblerStats, last_ts: TimerStats, last_fs: FileAnalysisStats, last_ds: DNSStats)
 	{
-	local now = current_time();
-	local ns = net_stats();
-	local res = resource_usage();
+	local nettime = network_time();
+	local ns = get_net_stats();
+	local cs = get_conn_stats();
+	local ps = get_proc_stats();
+	local es = get_event_stats();
+	local rs = get_reassembler_stats();
+	local ts = get_timer_stats();
+	local fs = get_file_analysis_stats();
+	local ds = get_dns_stats();
 
 	if ( bro_is_terminating() )
 		# No more stats will be written or scheduled when Bro is
 		# shutting down.
 		return;
 
-	local info: Info = [$ts=now, $peer=peer_description, $mem=res$mem/1000000,
-	                    $pkts_proc=res$num_packets - last_res$num_packets,
-	                    $events_proc=res$num_events_dispatched - last_res$num_events_dispatched,
-	                    $events_queued=res$num_events_queued - last_res$num_events_queued];
+	local info: Info = [$ts=nettime,
+			    $peer=peer_description,
+			    $mem=ps$mem/1048576,
+			    $pkts_proc=ns$pkts_recvd - last_ns$pkts_recvd,
+			    $bytes_recv = ns$bytes_recvd  - last_ns$bytes_recvd,
+
+			    $active_tcp_conns=cs$num_tcp_conns,
+			    $tcp_conns=cs$cumulative_tcp_conns - last_cs$cumulative_tcp_conns,
+			    $active_udp_conns=cs$num_udp_conns,
+			    $udp_conns=cs$cumulative_udp_conns - last_cs$cumulative_udp_conns,
+			    $active_icmp_conns=cs$num_icmp_conns,
+			    $icmp_conns=cs$cumulative_icmp_conns - last_cs$cumulative_icmp_conns,
+
+			    $reassem_tcp_size=rs$tcp_size,
+			    $reassem_file_size=rs$file_size,
+			    $reassem_frag_size=rs$frag_size,
+			    $reassem_unknown_size=rs$unknown_size,
+
+			    $events_proc=es$dispatched - last_es$dispatched,
+			    $events_queued=es$queued - last_es$queued,
+
+			    $timers=ts$cumulative - last_ts$cumulative,
+			    $active_timers=ts$current,
+
+			    $files=fs$cumulative - last_fs$cumulative,
+			    $active_files=fs$current,
+
+			    $dns_requests=ds$requests - last_ds$requests,
+			    $active_dns_requests=ds$pending
+			    ];
+
+	# Someone's going to have to explain what this is and add a field to the Info record.
+	# info$util = 100.0*((ps$user_time + ps$system_time) - (last_ps$user_time + last_ps$system_time))/(now-then);
 
 	if ( reading_live_traffic() )
 		{
-		info$lag = now - network_time();
-		# Someone's going to have to explain what this is and add a field to the Info record.
-		# info$util = 100.0*((res$user_time + res$system_time) - (last_res$user_time + last_res$system_time))/(now-last_ts);
-		info$pkts_recv = ns$pkts_recvd - last_ns$pkts_recvd;
+		info$pkt_lag = current_time() - nettime;
 		info$pkts_dropped = ns$pkts_dropped  - last_ns$pkts_dropped;
 		info$pkts_link = ns$pkts_link  - last_ns$pkts_link;
-		info$bytes_recv = ns$bytes_recvd  - last_ns$bytes_recvd;
 		}
 
 	Log::write(Stats::LOG, info);
-	schedule stats_report_interval { check_stats(now, ns, res) };
+	schedule report_interval { check_stats(nettime, ns, cs, ps, es, rs, ts, fs, ds) };
 	}
 
 event bro_init()
 	{
-	schedule stats_report_interval { check_stats(current_time(), net_stats(), resource_usage()) };
+	schedule report_interval { check_stats(network_time(), get_net_stats(), get_conn_stats(), get_proc_stats(), get_event_stats(), get_reassembler_stats(), get_timer_stats(), get_file_analysis_stats(), get_dns_stats()) };
 	}
diff --git a/scripts/policy/protocols/conn/mac-logging.bro b/scripts/policy/protocols/conn/mac-logging.bro
new file mode 100644
index 0000000000..54ef94605d
--- /dev/null
+++ b/scripts/policy/protocols/conn/mac-logging.bro
@@ -0,0 +1,24 @@
+##! This script adds link-layer address (MAC) information to the connection logs
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Info += {
+	## Link-layer address of the originator, if available.
+	orig_l2_addr: string	&log &optional;
+	## Link-layer address of the responder, if available.
+	resp_l2_addr: string	&log &optional;
+};
+
+# Add the link-layer addresses to the Conn::Info structure after the connection
+# has been removed. This ensures it's only done once, and is done before the
+# connection information is written to the log.
+event connection_state_remove(c: connection)
+	{
+	if ( c$orig?$l2_addr )
+		c$conn$orig_l2_addr = c$orig$l2_addr;
+
+	if ( c$resp?$l2_addr )
+		c$conn$resp_l2_addr = c$resp$l2_addr;
+	}
diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index 8c6e495a07..704ca596dc 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -88,3 +88,7 @@
 # Uncomment the following line to enable logging of connection VLANs. Enabling
 # this adds two VLAN fields to the conn.log file.
 # @load policy/protocols/conn/vlan-logging
+
+# Uncomment the following line to enable logging of link-layer addresses. Enabling
+# this adds the link-layer address for each connection endpoint to the conn.log file.
+# @load policy/protocols/conn/mac-logging
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index f0ca204005..2299fd3043 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -29,6 +29,7 @@
 @load frameworks/intel/seen/where-locations.bro
 @load frameworks/intel/seen/x509.bro
 @load frameworks/files/detect-MHR.bro
+@load frameworks/files/entropy-test-all-files.bro
 #@load frameworks/files/extract-all-files.bro
 @load frameworks/files/hash-all-files.bro
 @load frameworks/packet-filter/shunt.bro
@@ -62,6 +63,7 @@
 @load misc/trim-trace-file.bro
 @load protocols/conn/known-hosts.bro
 @load protocols/conn/known-services.bro
+@load protocols/conn/mac-logging.bro
 @load protocols/conn/vlan-logging.bro
 @load protocols/conn/weirds.bro
 @load protocols/dhcp/known-devices-and-hostnames.bro
diff --git a/src/3rdparty b/src/3rdparty
index 6a429e79bb..f1eaca0e08 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 6a429e79bbaf0fcc11eff5f639bfb9d1f62be6f2
+Subproject commit f1eaca0e085a8b37ec6a32c7e1b0e9571414a2e3
diff --git a/src/Attr.cc b/src/Attr.cc
index 4bfbcf2ad7..14b00bd0d7 100644
--- a/src/Attr.cc
+++ b/src/Attr.cc
@@ -375,12 +375,33 @@ void Attributes::CheckAttr(Attr* a)
 	case ATTR_EXPIRE_READ:
 	case ATTR_EXPIRE_WRITE:
 	case ATTR_EXPIRE_CREATE:
+		{
 		if ( type->Tag() != TYPE_TABLE )
 			{
 			Error("expiration only applicable to tables");
 			break;
 			}
 
+		int num_expires = 0;
+		if ( attrs )
+			{
+			loop_over_list(*attrs, i)
+				{
+				Attr* a = (*attrs)[i];
+				if ( a->Tag() == ATTR_EXPIRE_READ ||
+				     a->Tag() == ATTR_EXPIRE_WRITE ||
+				     a->Tag() == ATTR_EXPIRE_CREATE )
+					num_expires++;
+				}
+			}
+
+		if ( num_expires > 1 )
+			{
+			Error("set/table can only have one of &read_expire, &write_expire, &create_expire");
+			break;
+			}
+		}
+
 #if 0
 		//### not easy to test this w/o knowing the ID.
 		if ( ! IsGlobal() )
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 9a807b3182..7b521125e4 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -118,6 +118,7 @@ include(BifCl)
 
 set(BIF_SRCS
     bro.bif
+    stats.bif
     event.bif
     const.bif
     types.bif
diff --git a/src/Conn.cc b/src/Conn.cc
index 3f6757d89c..7ca7c1b901 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -108,14 +108,14 @@ bool ConnectionTimer::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
-unsigned int Connection::total_connections = 0;
-unsigned int Connection::current_connections = 0;
-unsigned int Connection::external_connections = 0;
+uint64 Connection::total_connections = 0;
+uint64 Connection::current_connections = 0;
+uint64 Connection::external_connections = 0;
 
 IMPLEMENT_SERIAL(Connection, SER_CONNECTION);
 
 Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
-                       uint32 flow, uint32 arg_vlan, uint32 arg_inner_vlan,
+                       uint32 flow, const Packet* pkt,
 		       const EncapsulationStack* arg_encap)
 	{
 	sessions = s;
@@ -132,8 +132,18 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
 	saw_first_orig_packet = 1;
 	saw_first_resp_packet = 0;
 
-	vlan = arg_vlan;
-	inner_vlan = arg_inner_vlan;
+	if ( pkt->l2_src )
+		memcpy(orig_l2_addr, pkt->l2_src, sizeof(orig_l2_addr));
+	else
+		bzero(orig_l2_addr, sizeof(orig_l2_addr));
+
+	if ( pkt->l2_dst )
+		memcpy(resp_l2_addr, pkt->l2_dst, sizeof(resp_l2_addr));
+	else
+		bzero(resp_l2_addr, sizeof(resp_l2_addr));
+
+	vlan = pkt->vlan;
+	inner_vlan = pkt->inner_vlan;
 
 	conn_val = 0;
 	login_conn = 0;
@@ -363,11 +373,20 @@ RecordVal* Connection::BuildConnVal()
 		orig_endp->Assign(1, new Val(0, TYPE_COUNT));
 		orig_endp->Assign(4, new Val(orig_flow_label, TYPE_COUNT));
 
+		const int l2_len = sizeof(orig_l2_addr);
+		char null[l2_len]{};
+
+		if ( memcmp(&orig_l2_addr, &null, l2_len) != 0 )
+			orig_endp->Assign(5, new StringVal(fmt_mac(orig_l2_addr, l2_len)));
+
 		RecordVal *resp_endp = new RecordVal(endpoint);
 		resp_endp->Assign(0, new Val(0, TYPE_COUNT));
 		resp_endp->Assign(1, new Val(0, TYPE_COUNT));
 		resp_endp->Assign(4, new Val(resp_flow_label, TYPE_COUNT));
 
+		if ( memcmp(&resp_l2_addr, &null, l2_len) != 0 )
+			resp_endp->Assign(5, new StringVal(fmt_mac(resp_l2_addr, l2_len)));
+
 		conn_val->Assign(0, id_val);
 		conn_val->Assign(1, orig_endp);
 		conn_val->Assign(2, resp_endp);
@@ -388,6 +407,7 @@ RecordVal* Connection::BuildConnVal()
 
 		if ( inner_vlan != 0 )
 			conn_val->Assign(10, new Val(inner_vlan, TYPE_INT));
+
 		}
 
 	if ( root_analyzer )
@@ -732,6 +752,12 @@ void Connection::FlipRoles()
 	resp_port = orig_port;
 	orig_port = tmp_port;
 
+	const int l2_len = sizeof(orig_l2_addr);
+	u_char tmp_l2_addr[l2_len];
+	memcpy(tmp_l2_addr, resp_l2_addr, l2_len);
+	memcpy(resp_l2_addr, orig_l2_addr, l2_len);
+	memcpy(orig_l2_addr, tmp_l2_addr, l2_len);
+
 	bool tmp_bool = saw_first_resp_packet;
 	saw_first_resp_packet = saw_first_orig_packet;
 	saw_first_orig_packet = tmp_bool;
diff --git a/src/Conn.h b/src/Conn.h
index 11dbb11abe..b58ed0c2b8 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -56,7 +56,7 @@ namespace analyzer { class Analyzer; }
 class Connection : public BroObj {
 public:
 	Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
-	           uint32 flow, uint32 vlan, uint32 inner_vlan, const EncapsulationStack* arg_encap);
+	           uint32 flow, const Packet* pkt, const EncapsulationStack* arg_encap);
 	virtual ~Connection();
 
 	// Invoked when an encapsulation is discovered. It records the
@@ -220,11 +220,11 @@ public:
 	unsigned int MemoryAllocation() const;
 	unsigned int MemoryAllocationConnVal() const;
 
-	static unsigned int TotalConnections()
+	static uint64 TotalConnections()
 		{ return total_connections; }
-	static unsigned int CurrentConnections()
+	static uint64 CurrentConnections()
 		{ return current_connections; }
-	static unsigned int CurrentExternalConnections()
+	static uint64 CurrentExternalConnections()
 		{ return external_connections; }
 
 	// Returns true if the history was already seen, false otherwise.
@@ -296,6 +296,8 @@ protected:
 	TransportProto proto;
 	uint32 orig_flow_label, resp_flow_label;	// most recent IPv6 flow labels
 	uint32 vlan, inner_vlan;	// VLAN this connection traverses, if available
+	u_char orig_l2_addr[Packet::l2_addr_len];	// Link-layer originator address, if available
+	u_char resp_l2_addr[Packet::l2_addr_len];	// Link-layer responder address, if available
 	double start_time, last_time;
 	double inactivity_timeout;
 	RecordVal* conn_val;
@@ -315,9 +317,9 @@ protected:
 	unsigned int saw_first_orig_packet:1, saw_first_resp_packet:1;
 
 	// Count number of connections.
-	static unsigned int total_connections;
-	static unsigned int current_connections;
-	static unsigned int external_connections;
+	static uint64 total_connections;
+	static uint64 current_connections;
+	static uint64 external_connections;
 
 	string history;
 	uint32 hist_seen;
diff --git a/src/DFA.cc b/src/DFA.cc
index e7b2279ed5..5885a9bf3b 100644
--- a/src/DFA.cc
+++ b/src/DFA.cc
@@ -346,6 +346,7 @@ DFA_State* DFA_State_Cache::Lookup(const NFA_state_list& nfas,
 		++misses;
 		return 0;
 		}
+	++hits;
 
 	delete *hash;
 	*hash = 0;
@@ -433,19 +434,6 @@ void DFA_Machine::Dump(FILE* f)
 	start_state->ClearMarks();
 	}
 
-void DFA_Machine::DumpStats(FILE* f)
-	{
-	DFA_State_Cache::Stats stats;
-	dfa_state_cache->GetStats(&stats);
-
-	fprintf(f, "Computed dfa_states = %d; Classes = %d; Computed trans. = %d; Uncomputed trans. = %d\n",
-		stats.dfa_states, EC()->NumClasses(),
-		stats.computed, stats.uncomputed);
-
-	fprintf(f, "DFA cache hits = %d; misses = %d\n",
-		stats.hits, stats.misses);
-	}
-
 unsigned int DFA_Machine::MemoryAllocation() const
 	{
 	DFA_State_Cache::Stats s;
diff --git a/src/DFA.h b/src/DFA.h
index 00cfdc3d39..a63beca9ac 100644
--- a/src/DFA.h
+++ b/src/DFA.h
@@ -89,10 +89,9 @@ public:
 	int NumEntries() const	{ return states.Length(); }
 
 	struct Stats {
-		unsigned int dfa_states;
-
-		// Sum over all NFA states per DFA state.
+		// Sum of all NFA states
 		unsigned int nfa_states;
+		unsigned int dfa_states;
 		unsigned int computed;
 		unsigned int uncomputed;
 		unsigned int mem;
@@ -132,7 +131,6 @@ public:
 
 	void Describe(ODesc* d) const;
 	void Dump(FILE* f);
-	void DumpStats(FILE* f);
 
 	unsigned int MemoryAllocation() const;
 
diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc
index 4e3dba9d81..6a095a15db 100644
--- a/src/DebugLogger.cc
+++ b/src/DebugLogger.cc
@@ -7,7 +7,7 @@
 #include "Net.h"
 #include "plugin/Plugin.h"
 
-DebugLogger debug_logger("debug");
+DebugLogger debug_logger;
 
 // Same order here as in DebugStream.
 DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
@@ -22,7 +22,19 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
 	{ "pktio", 0, false }, { "broker", 0, false }
 };
 
-DebugLogger::DebugLogger(const char* filename)
+DebugLogger::DebugLogger()
+	{
+	verbose = false;
+	file = 0;
+	}
+
+DebugLogger::~DebugLogger()
+	{
+	if ( file && file != stderr )
+		fclose(file);
+	}
+
+void DebugLogger::OpenDebugLog(const char* filename)
 	{
 	if ( filename )
 		{
@@ -45,14 +57,6 @@ DebugLogger::DebugLogger(const char* filename)
 		}
 	else
 		file = stderr;
-
-	verbose = false;
-	}
-
-DebugLogger::~DebugLogger()
-	{
-	if ( file != stderr )
-		fclose(file);
 	}
 
 void DebugLogger::ShowStreamsHelp()
diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index ca947ff03a..18068419b8 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -53,9 +53,11 @@ namespace plugin { class Plugin; }
 class DebugLogger {
 public:
 	// Output goes to stderr per default.
-	DebugLogger(const char* filename = 0);
+	DebugLogger();
 	~DebugLogger();
 
+	void OpenDebugLog(const char* filename = 0);
+
 	void Log(DebugStream stream, const char* fmt, ...);
 	void Log(const plugin::Plugin& plugin, const char* fmt, ...);
 
diff --git a/src/Desc.cc b/src/Desc.cc
index 3cdc35bfe5..1d76c32e55 100644
--- a/src/Desc.cc
+++ b/src/Desc.cc
@@ -4,6 +4,7 @@
 
 #include <stdlib.h>
 #include <errno.h>
+#include <math.h>
 
 #include "Desc.h"
 #include "File.h"
@@ -138,17 +139,22 @@ void ODesc::Add(uint64 u)
 		}
 	}
 
-void ODesc::Add(double d)
+void ODesc::Add(double d, bool no_exp)
 	{
 	if ( IsBinary() )
 		AddBytes(&d, sizeof(d));
 	else
 		{
 		char tmp[256];
-		modp_dtoa2(d, tmp, IsReadable() ? 6 : 8);
+
+		if ( no_exp )
+			modp_dtoa3(d, tmp, sizeof(tmp), IsReadable() ? 6 : 8);
+		else
+			modp_dtoa2(d, tmp, IsReadable() ? 6 : 8);
+
 		Add(tmp);
 
-		if ( d == double(int(d)) )
+		if ( nearbyint(d) == d && isfinite(d) && ! strchr(tmp, 'e') )
 			// disambiguate from integer
 			Add(".0");
 		}
@@ -351,3 +357,24 @@ void ODesc::Clear()
 		}
 	}
 
+bool ODesc::PushType(const BroType* type)
+	{
+	auto res = encountered_types.insert(type);
+	return std::get<1>(res);
+	}
+
+bool ODesc::PopType(const BroType* type)
+	{
+	size_t res = encountered_types.erase(type);
+	return (res == 1);
+	}
+
+bool ODesc::FindType(const BroType* type)
+	{
+	auto res = encountered_types.find(type);
+
+	if ( res != encountered_types.end() )
+		return true;
+
+	return false;
+	}
diff --git a/src/Desc.h b/src/Desc.h
index cc6ba3a662..fb56aad9ea 100644
--- a/src/Desc.h
+++ b/src/Desc.h
@@ -23,6 +23,7 @@ typedef enum {
 class BroFile;
 class IPAddr;
 class IPPrefix;
+class BroType;
 
 class ODesc {
 public:
@@ -80,7 +81,7 @@ public:
 	void Add(uint32 u);
 	void Add(int64 i);
 	void Add(uint64 u);
-	void Add(double d);
+	void Add(double d, bool no_exp=false);
 	void Add(const IPAddr& addr);
 	void Add(const IPPrefix& prefix);
 
@@ -140,6 +141,12 @@ public:
 
 	void Clear();
 
+	// Used to determine recursive types. Records push their types on here;
+	// if the same type (by address) is re-encountered, processing aborts.
+	bool PushType(const BroType* type);
+	bool PopType(const BroType* type);
+	bool FindType(const BroType* type);
+
 protected:
 	void Indent();
 
@@ -190,6 +197,8 @@ protected:
 	int do_flush;
 	int include_stats;
 	int indent_with_spaces;
+
+	std::set<const BroType*> encountered_types;
 };
 
 #endif
diff --git a/src/Dict.cc b/src/Dict.cc
index 1d32eccde3..9e68d64089 100644
--- a/src/Dict.cc
+++ b/src/Dict.cc
@@ -66,6 +66,7 @@ Dictionary::Dictionary(dict_order ordering, int initial_size)
 	delete_func = 0;
 	tbl_next_ind = 0;
 
+	cumulative_entries = 0;
 	num_buckets2 = num_entries2 = max_num_entries2 = thresh_entries2 = 0;
 	den_thresh2 = 0;
 	}
@@ -444,6 +445,7 @@ void* Dictionary::Insert(DictEntry* new_entry, int copy_key)
 	// on lists than prepending.
 	chain->append(new_entry);
 
+	++cumulative_entries;
 	if ( *max_num_entries_ptr < ++*num_entries_ptr )
 		*max_num_entries_ptr = *num_entries_ptr;
 
diff --git a/src/Dict.h b/src/Dict.h
index 3a2239ef54..2def5ea28f 100644
--- a/src/Dict.h
+++ b/src/Dict.h
@@ -71,6 +71,12 @@ public:
 			max_num_entries + max_num_entries2 : max_num_entries;
 		}
 
+	// Total number of entries ever.
+	uint64 NumCumulativeInserts() const
+		{
+		return cumulative_entries;
+		}
+
 	// True if the dictionary is ordered, false otherwise.
 	int IsOrdered() const		{ return order != 0; }
 
@@ -166,6 +172,7 @@ private:
 	int num_buckets;
 	int num_entries;
 	int max_num_entries;
+	uint64 cumulative_entries;
 	double den_thresh;
 	int thresh_entries;
 
diff --git a/src/Event.cc b/src/Event.cc
index 89e745361f..6371a69248 100644
--- a/src/Event.cc
+++ b/src/Event.cc
@@ -10,8 +10,8 @@
 
 EventMgr mgr;
 
-int num_events_queued = 0;
-int num_events_dispatched = 0;
+uint64 num_events_queued = 0;
+uint64 num_events_dispatched = 0;
 
 Event::Event(EventHandlerPtr arg_handler, val_list* arg_args,
 		SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
@@ -94,26 +94,6 @@ void EventMgr::QueueEvent(Event* event)
 	++num_events_queued;
 	}
 
-void EventMgr::Dispatch()
-	{
-	if ( ! head )
-		reporter->InternalError("EventMgr::Dispatch underflow");
-
-	Event* current = head;
-
-	head = head->NextEvent();
-	if ( ! head )
-		tail = head;
-
-	current_src = current->Source();
-	current_mgr = current->Mgr();
-	current_aid = current->Analyzer();
-	current->Dispatch();
-	Unref(current);
-
-	++num_events_dispatched;
-	}
-
 void EventMgr::Drain()
 	{
 	if ( event_queue_flush_point )
@@ -124,8 +104,34 @@ void EventMgr::Drain()
 	PLUGIN_HOOK_VOID(HOOK_DRAIN_EVENTS, HookDrainEvents());
 
 	draining = true;
-	while ( head )
-		Dispatch();
+
+	// Past Bro versions drained as long as there events, including when
+	// a handler queued new events during its execution. This could lead
+	// to endless loops in case a handler kept triggering its own event.
+	// We now limit this to just a couple of rounds. We do more than
+	// just one round to make it less likley to break existing scripts
+	// that expect the old behavior to trigger something quickly.
+
+	for ( int round = 0; head && round < 2; round++ )
+		{
+		Event* current = head;
+		head = 0;
+		tail = 0;
+
+		while ( current )
+			{
+			Event* next = current->NextEvent();
+
+			current_src = current->Source();
+			current_mgr = current->Mgr();
+			current_aid = current->Analyzer();
+			current->Dispatch();
+			Unref(current);
+
+			++num_events_dispatched;
+			current = next;
+			}
+		}
 
 	// Note: we might eventually need a general way to specify things to
 	// do after draining events.
diff --git a/src/Event.h b/src/Event.h
index 6f9c9d10c3..1b76928f10 100644
--- a/src/Event.h
+++ b/src/Event.h
@@ -72,8 +72,8 @@ protected:
 	Event* next_event;
 };
 
-extern int num_events_queued;
-extern int num_events_dispatched;
+extern uint64 num_events_queued;
+extern uint64 num_events_dispatched;
 
 class EventMgr : public BroObj {
 public:
@@ -90,8 +90,6 @@ public:
 			delete_vals(vl);
 		}
 
-	void Dispatch();
-
 	void Dispatch(Event* event, bool no_remote = false)
 		{
 		current_src = event->Source();
diff --git a/src/Frag.cc b/src/Frag.cc
index 6a8b901a73..842059e218 100644
--- a/src/Frag.cc
+++ b/src/Frag.cc
@@ -28,7 +28,7 @@ void FragTimer::Dispatch(double t, int /* is_expire */)
 FragReassembler::FragReassembler(NetSessions* arg_s,
 			const IP_Hdr* ip, const u_char* pkt,
 			HashKey* k, double t)
-	: Reassembler(0)
+	: Reassembler(0, REASSEM_FRAG)
 	{
 	s = arg_s;
 	key = k;
diff --git a/src/Func.cc b/src/Func.cc
index e1eadb8c9f..ccb2570f70 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -628,10 +628,12 @@ void builtin_error(const char* msg, BroObj* arg)
 	}
 
 #include "bro.bif.func_h"
+#include "stats.bif.func_h"
 #include "reporter.bif.func_h"
 #include "strings.bif.func_h"
 
 #include "bro.bif.func_def"
+#include "stats.bif.func_def"
 #include "reporter.bif.func_def"
 #include "strings.bif.func_def"
 
@@ -640,13 +642,22 @@ void builtin_error(const char* msg, BroObj* arg)
 
 void init_builtin_funcs()
 	{
-	bro_resources = internal_type("bro_resources")->AsRecordType();
-	net_stats = internal_type("NetStats")->AsRecordType();
-	matcher_stats = internal_type("matcher_stats")->AsRecordType();
+	ProcStats = internal_type("ProcStats")->AsRecordType();
+	NetStats = internal_type("NetStats")->AsRecordType();
+	MatcherStats = internal_type("MatcherStats")->AsRecordType();
+	ConnStats = internal_type("ConnStats")->AsRecordType();
+	ReassemblerStats = internal_type("ReassemblerStats")->AsRecordType();
+	DNSStats = internal_type("DNSStats")->AsRecordType();
+	GapStats = internal_type("GapStats")->AsRecordType();
+	EventStats = internal_type("EventStats")->AsRecordType();
+	TimerStats = internal_type("TimerStats")->AsRecordType();
+	FileAnalysisStats = internal_type("FileAnalysisStats")->AsRecordType();
+	ThreadStats = internal_type("ThreadStats")->AsRecordType();
+
 	var_sizes = internal_type("var_sizes")->AsTableType();
-	gap_info = internal_type("gap_info")->AsRecordType();
 
 #include "bro.bif.func_init"
+#include "stats.bif.func_init"
 #include "reporter.bif.func_init"
 #include "strings.bif.func_init"
 
diff --git a/src/IP.cc b/src/IP.cc
index 3a19f02d23..ebe778e3d7 100644
--- a/src/IP.cc
+++ b/src/IP.cc
@@ -1,5 +1,9 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netinet/icmp6.h>
+
 #include "IP.h"
 #include "Type.h"
 #include "Val.h"
@@ -403,6 +407,17 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
 		break;
 		}
 
+	case IPPROTO_ICMPV6:
+		{
+		const struct icmp6_hdr* icmpp = (const struct icmp6_hdr*) data;
+		RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
+
+		icmp_hdr->Assign(0, new Val(icmpp->icmp6_type, TYPE_COUNT));
+
+		pkt_hdr->Assign(sindex + 4, icmp_hdr);
+		break;
+		}
+
 	default:
 		{
 		// This is not a protocol we understand.
diff --git a/src/NFA.cc b/src/NFA.cc
index def04d79a1..4d18f75226 100644
--- a/src/NFA.cc
+++ b/src/NFA.cc
@@ -285,11 +285,6 @@ void NFA_Machine::Dump(FILE* f)
 	first_state->ClearMarks();
 	}
 
-void NFA_Machine::DumpStats(FILE* f)
-	{
-	fprintf(f, "highest NFA state ID is %d\n", nfa_state_id);
-	}
-
 NFA_Machine* make_alternate(NFA_Machine* m1, NFA_Machine* m2)
 	{
 	if ( ! m1 )
diff --git a/src/NFA.h b/src/NFA.h
index 9877b8787c..88ce3429c9 100644
--- a/src/NFA.h
+++ b/src/NFA.h
@@ -105,7 +105,6 @@ public:
 
 	void Describe(ODesc* d) const;
 	void Dump(FILE* f);
-	void DumpStats(FILE* f);
 
 	unsigned int MemoryAllocation() const
 		{ return padded_sizeof(*this) + first_state->TotalMemoryAllocation(); }
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 8a901842fd..86ece8a6a0 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -15,6 +15,8 @@ RecordType* icmp_conn;
 RecordType* icmp_context;
 RecordType* SYN_packet;
 RecordType* pcap_packet;
+RecordType* raw_pkt_hdr_type;
+RecordType* l2_hdr_type;
 RecordType* signature_state;
 EnumType* transport_proto;
 TableType* string_set;
@@ -197,7 +199,6 @@ Val* pkt_profile_file;
 int load_sample_freq;
 
 double gap_report_freq;
-RecordType* gap_info;
 
 int packet_filter_default;
 
@@ -324,6 +325,8 @@ void init_net_var()
 	signature_state = internal_type("signature_state")->AsRecordType();
 	SYN_packet = internal_type("SYN_packet")->AsRecordType();
 	pcap_packet = internal_type("pcap_packet")->AsRecordType();
+	raw_pkt_hdr_type = internal_type("raw_pkt_hdr")->AsRecordType();
+	l2_hdr_type = internal_type("l2_hdr")->AsRecordType();
 	transport_proto = internal_type("transport_proto")->AsEnumType();
 	string_set = internal_type("string_set")->AsTableType();
 	string_array = internal_type("string_array")->AsTableType();
diff --git a/src/NetVar.h b/src/NetVar.h
index 97018121f9..cda1cc83a8 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -19,6 +19,8 @@ extern RecordType* icmp_context;
 extern RecordType* signature_state;
 extern RecordType* SYN_packet;
 extern RecordType* pcap_packet;
+extern RecordType* raw_pkt_hdr_type;
+extern RecordType* l2_hdr_type;
 extern EnumType* transport_proto;
 extern TableType* string_set;
 extern TableType* string_array;
@@ -200,9 +202,6 @@ extern Val* pkt_profile_file;
 
 extern int load_sample_freq;
 
-extern double gap_report_freq;
-extern RecordType* gap_info;
-
 extern int packet_filter_default;
 
 extern int sig_max_group_size;
diff --git a/src/PrefixTable.cc b/src/PrefixTable.cc
index d31203c9d3..007e08349c 100644
--- a/src/PrefixTable.cc
+++ b/src/PrefixTable.cc
@@ -1,7 +1,7 @@
 #include "PrefixTable.h"
 #include "Reporter.h"
 
-inline static prefix_t* make_prefix(const IPAddr& addr, int width)
+prefix_t* PrefixTable::MakePrefix(const IPAddr& addr, int width)
 	{
 	prefix_t* prefix = (prefix_t*) safe_malloc(sizeof(prefix_t));
 
@@ -13,9 +13,14 @@ inline static prefix_t* make_prefix(const IPAddr& addr, int width)
 	return prefix;
 	}
 
+IPPrefix PrefixTable::PrefixToIPPrefix(prefix_t* prefix)
+	{
+	return IPPrefix(IPAddr(IPv6, reinterpret_cast<const uint32_t*>(&prefix->add.sin6), IPAddr::Network), prefix->bitlen, 1);
+	}
+
 void* PrefixTable::Insert(const IPAddr& addr, int width, void* data)
 	{
-	prefix_t* prefix = make_prefix(addr, width);
+	prefix_t* prefix = MakePrefix(addr, width);
 	patricia_node_t* node = patricia_lookup(tree, prefix);
 	Deref_Prefix(prefix);
 
@@ -57,13 +62,39 @@ void* PrefixTable::Insert(const Val* value, void* data)
 	}
 	}
 
+list<tuple<IPPrefix,void*>> PrefixTable::FindAll(const IPAddr& addr, int width) const
+	{
+	std::list<tuple<IPPrefix,void*>> out;
+	prefix_t* prefix = MakePrefix(addr, width);
+
+	int elems = 0;
+	patricia_node_t** list = nullptr;
+
+	patricia_search_all(tree, prefix, &list, &elems);
+
+	for ( int i = 0; i < elems; ++i )
+		out.push_back(std::make_tuple(PrefixToIPPrefix(list[i]->prefix), list[i]->data));
+
+	Deref_Prefix(prefix);
+	free(list);
+	return out;
+	}
+
+list<tuple<IPPrefix,void*>> PrefixTable::FindAll(const SubNetVal* value) const
+	{
+	return FindAll(value->AsSubNet().Prefix(), value->AsSubNet().LengthIPv6());
+	}
+
 void* PrefixTable::Lookup(const IPAddr& addr, int width, bool exact) const
 	{
-	prefix_t* prefix = make_prefix(addr, width);
+	prefix_t* prefix = MakePrefix(addr, width);
 	patricia_node_t* node =
 		exact ? patricia_search_exact(tree, prefix) :
 			patricia_search_best(tree, prefix);
 
+	int elems = 0;
+	patricia_node_t** list = nullptr;
+
 	Deref_Prefix(prefix);
 	return node ? node->data : 0;
 	}
@@ -94,7 +125,7 @@ void* PrefixTable::Lookup(const Val* value, bool exact) const
 
 void* PrefixTable::Remove(const IPAddr& addr, int width)
 	{
-	prefix_t* prefix = make_prefix(addr, width);
+	prefix_t* prefix = MakePrefix(addr, width);
 	patricia_node_t* node = patricia_search_exact(tree, prefix);
 	Deref_Prefix(prefix);
 
diff --git a/src/PrefixTable.h b/src/PrefixTable.h
index 2e5f43a0a8..6606b77e81 100644
--- a/src/PrefixTable.h
+++ b/src/PrefixTable.h
@@ -36,6 +36,10 @@ public:
 	void* Lookup(const IPAddr& addr, int width, bool exact = false) const;
 	void* Lookup(const Val* value, bool exact = false) const;
 
+	// Returns list of all found matches or empty list otherwise.
+	list<tuple<IPPrefix,void*>> FindAll(const IPAddr& addr, int width) const;
+	list<tuple<IPPrefix,void*>> FindAll(const SubNetVal* value) const;
+
 	// Returns pointer to data or nil if not found.
 	void* Remove(const IPAddr& addr, int width);
 	void* Remove(const Val* value);
@@ -45,6 +49,10 @@ public:
 	iterator InitIterator();
 	void* GetNext(iterator* i);
 
+private:
+	static prefix_t* MakePrefix(const IPAddr& addr, int width);
+	static IPPrefix PrefixToIPPrefix(prefix_t* p);
+
 	patricia_tree_t* tree;
 };
 
diff --git a/src/PriorityQueue.cc b/src/PriorityQueue.cc
index 75b731142e..5fe0cbef81 100644
--- a/src/PriorityQueue.cc
+++ b/src/PriorityQueue.cc
@@ -13,7 +13,7 @@ PriorityQueue::PriorityQueue(int initial_size)
 	{
 	max_heap_size = initial_size;
 	heap = new PQ_Element*[max_heap_size];
-	peak_heap_size = heap_size = 0;
+	peak_heap_size = heap_size = cumulative_num = 0;
 	}
 
 PriorityQueue::~PriorityQueue()
@@ -62,6 +62,8 @@ int PriorityQueue::Add(PQ_Element* e)
 
 	BubbleUp(heap_size);
 
+	++cumulative_num;
+
 	if ( ++heap_size > peak_heap_size )
 		peak_heap_size = heap_size;
 
diff --git a/src/PriorityQueue.h b/src/PriorityQueue.h
index 87e10aa7ac..6fe36f43fe 100644
--- a/src/PriorityQueue.h
+++ b/src/PriorityQueue.h
@@ -4,6 +4,7 @@
 #define __PriorityQueue__
 
 #include <math.h>
+#include "util.h"
 
 class PriorityQueue;
 
@@ -20,7 +21,7 @@ public:
 	void MinimizeTime()	{ time = -HUGE_VAL; }
 
 protected:
-	PQ_Element()		{ }
+	PQ_Element()		{ time = 0; offset = -1; }
 	double time;
 	int offset;
 };
@@ -53,6 +54,7 @@ public:
 
 	int Size() const	{ return heap_size; }
 	int PeakSize() const	{ return peak_heap_size; }
+	uint64 CumulativeNum() const { return cumulative_num; }
 
 protected:
 	int Resize(int new_size);
@@ -92,6 +94,7 @@ protected:
 	int heap_size;
 	int peak_heap_size;
 	int max_heap_size;
+	uint64 cumulative_num;
 };
 
 #endif
diff --git a/src/Reassem.cc b/src/Reassem.cc
index 54f27bd895..14d894be4f 100644
--- a/src/Reassem.cc
+++ b/src/Reassem.cc
@@ -1,6 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include <algorithm>
+#include <vector>
 
 #include "bro-config.h"
 
@@ -10,7 +11,8 @@
 static const bool DEBUG_reassem = false;
 
 DataBlock::DataBlock(const u_char* data, uint64 size, uint64 arg_seq,
-			DataBlock* arg_prev, DataBlock* arg_next)
+		     DataBlock* arg_prev, DataBlock* arg_next,
+		     ReassemblerType reassem_type)
 	{
 	seq = arg_seq;
 	upper = seq + size;
@@ -26,17 +28,21 @@ DataBlock::DataBlock(const u_char* data, uint64 size, uint64 arg_seq,
 	if ( next )
 		next->prev = this;
 
+	rtype = reassem_type;
+	Reassembler::sizes[rtype] += pad_size(size) + padded_sizeof(DataBlock);
 	Reassembler::total_size += pad_size(size) + padded_sizeof(DataBlock);
 	}
 
 uint64 Reassembler::total_size = 0;
+uint64 Reassembler::sizes[REASSEM_NUM];
 
-Reassembler::Reassembler(uint64 init_seq)
+Reassembler::Reassembler(uint64 init_seq, ReassemblerType reassem_type)
 	{
 	blocks = last_block = 0;
 	old_blocks = last_old_block = 0;
 	total_old_blocks = max_old_blocks = 0;
 	trim_seq = last_reassem_seq = init_seq;
+	rtype = reassem_type;
 	}
 
 Reassembler::~Reassembler()
@@ -110,7 +116,7 @@ void Reassembler::NewBlock(double t, uint64 seq, uint64 len, const u_char* data)
 
 	if ( ! blocks )
 		blocks = last_block = start_block =
-			new DataBlock(data, len, seq, 0, 0);
+			new DataBlock(data, len, seq, 0, 0, rtype);
 	else
 		start_block = AddAndCheck(blocks, seq, upper_seq, data);
 
@@ -275,7 +281,7 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 	if ( last_block && seq == last_block->upper )
 		{
 		last_block = new DataBlock(data, upper - seq, seq,
-						last_block, 0);
+					   last_block, 0, rtype);
 		return last_block;
 		}
 
@@ -288,7 +294,7 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 		{
 		// b is the last block, and it comes completely before
 		// the new block.
-		last_block = new DataBlock(data, upper - seq, seq, b, 0);
+		last_block = new DataBlock(data, upper - seq, seq, b, 0, rtype);
 		return last_block;
 		}
 
@@ -297,7 +303,7 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 	if ( upper <= b->seq )
 		{
 		// The new block comes completely before b.
-		new_b = new DataBlock(data, upper - seq, seq, b->prev, b);
+		new_b = new DataBlock(data, upper - seq, seq, b->prev, b, rtype);
 		if ( b == blocks )
 			blocks = new_b;
 		return new_b;
@@ -308,7 +314,7 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 		{
 		// The new block has a prefix that comes before b.
 		uint64 prefix_len = b->seq - seq;
-		new_b = new DataBlock(data, prefix_len, seq, b->prev, b);
+		new_b = new DataBlock(data, prefix_len, seq, b->prev, b, rtype);
 		if ( b == blocks )
 			blocks = new_b;
 
@@ -342,6 +348,11 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 	return new_b;
 	}
 
+uint64 Reassembler::MemoryAllocation(ReassemblerType rtype)
+	{
+	return Reassembler::sizes[rtype];
+	}
+
 bool Reassembler::Serialize(SerialInfo* info) const
 	{
 	return SerialObj::Serialize(info);
diff --git a/src/Reassem.h b/src/Reassem.h
index e55c809990..1672a4f9dd 100644
--- a/src/Reassem.h
+++ b/src/Reassem.h
@@ -6,10 +6,23 @@
 #include "Obj.h"
 #include "IPAddr.h"
 
+// Whenever subclassing the Reassembler class
+// you should add to this for known subclasses.
+enum ReassemblerType {
+	REASSEM_UNKNOWN,
+	REASSEM_TCP,
+	REASSEM_FRAG,
+	REASSEM_FILE,
+
+	// Terminal value. Add new above.
+	REASSEM_NUM,
+};
+
 class DataBlock {
 public:
 	DataBlock(const u_char* data, uint64 size, uint64 seq,
-			DataBlock* prev, DataBlock* next);
+		  DataBlock* prev, DataBlock* next,
+		  ReassemblerType reassem_type = REASSEM_UNKNOWN);
 
 	~DataBlock();
 
@@ -19,13 +32,12 @@ public:
 	DataBlock* prev;	// previous block with lower seq #
 	uint64 seq, upper;
 	u_char* block;
+	ReassemblerType rtype;
 };
 
-
-
 class Reassembler : public BroObj {
 public:
-	Reassembler(uint64 init_seq);
+	Reassembler(uint64 init_seq, ReassemblerType reassem_type = REASSEM_UNKNOWN);
 	virtual ~Reassembler();
 
 	void NewBlock(double t, uint64 seq, uint64 len, const u_char* data);
@@ -51,6 +63,9 @@ public:
 	// Sum over all data buffered in some reassembler.
 	static uint64 TotalMemoryAllocation()	{ return total_size; }
 
+	// Data buffered by type of reassembler.
+	static uint64 MemoryAllocation(ReassemblerType rtype);
+
 	void SetMaxOldBlocks(uint32 count)	{ max_old_blocks = count; }
 
 protected:
@@ -82,12 +97,16 @@ protected:
 	uint32 max_old_blocks;
 	uint32 total_old_blocks;
 
+	ReassemblerType rtype;
+
 	static uint64 total_size;
+	static uint64 sizes[REASSEM_NUM];
 };
 
 inline DataBlock::~DataBlock()
 	{
 	Reassembler::total_size -= pad_size(upper - seq) + padded_sizeof(DataBlock);
+	Reassembler::sizes[rtype] -= pad_size(upper - seq) + padded_sizeof(DataBlock);
 	delete [] block;
 	}
 
diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc
index 68eb13121f..40ef5f0ad1 100644
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@@ -111,7 +111,7 @@ bool RuleConditionPayloadSize::DoMatch(Rule* rule, RuleEndpointState* state,
 		return payload_size >= val;
 
 	default:
-		reporter->InternalError("unknown comparision type");
+		reporter->InternalError("unknown comparison type");
 	}
 
 	// Should not be reached
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index f40a5c4349..c88bb77a4f 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -21,7 +21,7 @@
 //			it may fail to match. Work-around: Insert an always
 //			matching "payload" pattern (not done in snort2bro yet)
 //		  - tcp-state always evaluates to true
-//			(implemented but deactivated for comparision to Snort)
+//			(implemented but deactivated for comparison to Snort)
 
 uint32 RuleHdrTest::idcounter = 0;
 
@@ -1174,7 +1174,7 @@ void RuleMatcher::GetStats(Stats* stats, RuleHdrTest* hdr_test)
 		stats->mem = 0;
 		stats->hits = 0;
 		stats->misses = 0;
-		stats->avg_nfa_states = 0;
+		stats->nfa_states = 0;
 		hdr_test = root;
 		}
 
@@ -1195,15 +1195,10 @@ void RuleMatcher::GetStats(Stats* stats, RuleHdrTest* hdr_test)
 			stats->mem += cstats.mem;
 			stats->hits += cstats.hits;
 			stats->misses += cstats.misses;
-			stats->avg_nfa_states += cstats.nfa_states;
+			stats->nfa_states += cstats.nfa_states;
 			}
 		}
 
-	if (  stats->dfa_states )
-		stats->avg_nfa_states /= stats->dfa_states;
-	else
-		stats->avg_nfa_states = 0;
-
 	for ( RuleHdrTest* h = hdr_test->child; h; h = h->sibling )
 		GetStats(stats, h);
 	}
diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h
index 6ffc971db1..b16a1556f9 100644
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@@ -297,6 +297,9 @@ public:
 	struct Stats {
 		unsigned int matchers;	// # distinct RE matchers
 
+		// NFA states across all matchers.
+		unsigned int nfa_states;
+
 		// # DFA states across all matchers
 		unsigned int dfa_states;
 		unsigned int computed;	// # computed DFA state transitions
@@ -305,9 +308,6 @@ public:
 		// # cache hits (sampled, multiply by MOVE_TO_FRONT_SAMPLE_SIZE)
 		unsigned int hits;
 		unsigned int misses;	// # cache misses
-
-		// Average # NFA states per DFA state.
-		unsigned int avg_nfa_states;
 	};
 
 	Val* BuildRuleStateValue(const Rule* rule,
diff --git a/src/Serializer.cc b/src/Serializer.cc
index 49e57c0216..5c1ae6077c 100644
--- a/src/Serializer.cc
+++ b/src/Serializer.cc
@@ -437,7 +437,7 @@ bool Serializer::UnserializeCall(UnserialInfo* info)
 
 bool Serializer::UnserializeStateAccess(UnserialInfo* info)
 	{
-	SetErrorDescr("unserializing state acess");
+	SetErrorDescr("unserializing state access");
 
 	StateAccess* s = StateAccess::Unserialize(info);
 
diff --git a/src/Serializer.h b/src/Serializer.h
index 43a9943cc5..402fc5d259 100644
--- a/src/Serializer.h
+++ b/src/Serializer.h
@@ -125,7 +125,7 @@ protected:
 
 	// This will be increased whenever there is an incompatible change
 	// in the data format.
-	static const uint32 DATA_FORMAT_VERSION = 25;
+	static const uint32 DATA_FORMAT_VERSION = 26;
 
 	ChunkedIO* io;
 
diff --git a/src/Sessions.cc b/src/Sessions.cc
index b8bfe82b34..534bbe3cd3 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -674,7 +674,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 	conn = (Connection*) d->Lookup(h);
 	if ( ! conn )
 		{
-		conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel(), pkt->vlan, pkt->inner_vlan, encapsulation);
+		conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel(), pkt, encapsulation);
 		if ( conn )
 			d->Insert(h, conn);
 		}
@@ -694,7 +694,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 				conn->Event(connection_reused, 0);
 
 			Remove(conn);
-			conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel(), pkt->vlan, pkt->inner_vlan, encapsulation);
+			conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel(), pkt, encapsulation);
 			if ( conn )
 				d->Insert(h, conn);
 			}
@@ -1156,25 +1156,23 @@ void NetSessions::Drain()
 void NetSessions::GetStats(SessionStats& s) const
 	{
 	s.num_TCP_conns = tcp_conns.Length();
+	s.cumulative_TCP_conns = tcp_conns.NumCumulativeInserts();
 	s.num_UDP_conns = udp_conns.Length();
+	s.cumulative_UDP_conns = udp_conns.NumCumulativeInserts();
 	s.num_ICMP_conns = icmp_conns.Length();
+	s.cumulative_ICMP_conns = icmp_conns.NumCumulativeInserts();
 	s.num_fragments = fragments.Length();
 	s.num_packets = num_packets_processed;
-	s.num_timers = timer_mgr->Size();
-	s.num_events_queued = num_events_queued;
-	s.num_events_dispatched = num_events_dispatched;
 
 	s.max_TCP_conns = tcp_conns.MaxLength();
 	s.max_UDP_conns = udp_conns.MaxLength();
 	s.max_ICMP_conns = icmp_conns.MaxLength();
 	s.max_fragments = fragments.MaxLength();
-	s.max_timers = timer_mgr->PeakSize();
 	}
 
 Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 					const u_char* data, int proto, uint32 flow_label,
-					uint32 vlan, uint32 inner_vlan,
-					const EncapsulationStack* encapsulation)
+					const Packet* pkt, const EncapsulationStack* encapsulation)
 	{
 	// FIXME: This should be cleaned up a bit, it's too protocol-specific.
 	// But I'm not yet sure what the right abstraction for these things is.
@@ -1230,7 +1228,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 		id = &flip_id;
 		}
 
-	Connection* conn = new Connection(this, k, t, id, flow_label, vlan, inner_vlan, encapsulation);
+	Connection* conn = new Connection(this, k, t, id, flow_label, pkt, encapsulation);
 	conn->SetTransport(tproto);
 
 	if ( ! analyzer_mgr->BuildInitialAnalyzerTree(conn) )
diff --git a/src/Sessions.h b/src/Sessions.h
index 2aca292789..305c9c145f 100644
--- a/src/Sessions.h
+++ b/src/Sessions.h
@@ -32,19 +32,20 @@ namespace analyzer { namespace arp { class ARP_Analyzer; } }
 
 struct SessionStats {
 	int num_TCP_conns;
-	int num_UDP_conns;
-	int num_ICMP_conns;
-	int num_fragments;
-	int num_packets;
-	int num_timers;
-	int num_events_queued;
-	int num_events_dispatched;
-
 	int max_TCP_conns;
+	uint64 cumulative_TCP_conns;
+
+	int num_UDP_conns;
 	int max_UDP_conns;
+	uint64 cumulative_UDP_conns;
+
+	int num_ICMP_conns;
 	int max_ICMP_conns;
+	uint64 cumulative_ICMP_conns;
+
+	int num_fragments;
 	int max_fragments;
-	int max_timers;
+	uint64 num_packets;
 };
 
 // Drains and deletes a timer manager if it hasn't seen any advances
@@ -184,8 +185,7 @@ protected:
 
 	Connection* NewConn(HashKey* k, double t, const ConnID* id,
 			const u_char* data, int proto, uint32 flow_lable,
-			uint32 vlan, uint32 inner_vlan,
-			const EncapsulationStack* encapsulation);
+			const Packet* pkt, const EncapsulationStack* encapsulation);
 
 	// Check whether the tag of the current packet is consistent with
 	// the given connection.  Returns:
@@ -242,7 +242,7 @@ protected:
 	OSFingerprint* SYN_OS_Fingerprinter;
 	int build_backdoor_analyzer;
 	int dump_this_packet;	// if true, current packet should be recorded
-	int num_packets_processed;
+	uint64 num_packets_processed;
 	PacketProfiler* pkt_profiler;
 
 	// We may use independent timer managers for different sets of related
diff --git a/src/StateAccess.cc b/src/StateAccess.cc
index aa4a1f36d2..6e73c8cf61 100644
--- a/src/StateAccess.cc
+++ b/src/StateAccess.cc
@@ -150,7 +150,7 @@ bool StateAccess::CheckOld(const char* op, ID* id, Val* index,
 
 	if ( should && is )
 		{
-		// There's no general comparision for non-atomic vals currently.
+		// There's no general comparison for non-atomic vals currently.
 		if ( ! (is_atomic_val(is) && is_atomic_val(should)) )
 			return true;
 
diff --git a/src/Stats.cc b/src/Stats.cc
index 00f603cba7..d1f447c05c 100644
--- a/src/Stats.cc
+++ b/src/Stats.cc
@@ -14,7 +14,7 @@
 #include "broker/Manager.h"
 #endif
 
-int killed_by_inactivity = 0;
+uint64 killed_by_inactivity = 0;
 
 uint64 tot_ack_events = 0;
 uint64 tot_ack_bytes = 0;
@@ -82,7 +82,7 @@ void ProfileLogger::Log()
 	struct timeval tv_utime = r.ru_utime;
 	struct timeval tv_stime = r.ru_stime;
 
-	unsigned int total, malloced;
+	uint64 total, malloced;
 	get_memory_usage(&total, &malloced);
 
 	static unsigned int first_total = 0;
@@ -110,7 +110,7 @@ void ProfileLogger::Log()
 		file->Write(fmt("\n%.06f ------------------------\n", network_time));
 		}
 
-	file->Write(fmt("%.06f Memory: total=%dK total_adj=%dK malloced: %dK\n",
+	file->Write(fmt("%.06f Memory: total=%" PRId64 "K total_adj=%" PRId64 "K malloced: %" PRId64 "K\n",
 		network_time, total / 1024, (total - first_total) / 1024,
 		malloced / 1024));
 
@@ -120,7 +120,7 @@ void ProfileLogger::Log()
 
 	int conn_mem_use = expensive ? sessions->ConnectionMemoryUsage() : 0;
 
-	file->Write(fmt("%.06f Conns: total=%d current=%d/%d ext=%d mem=%dK avg=%.1f table=%dK connvals=%dK\n",
+	file->Write(fmt("%.06f Conns: total=%" PRIu64 " current=%" PRIu64 "/%" PRIi32 " ext=%" PRIu64 " mem=%" PRIi32 "K avg=%.1f table=%" PRIu32 "K connvals=%" PRIu32 "K\n",
 		network_time,
 		Connection::TotalConnections(),
 		Connection::CurrentConnections(),
@@ -161,10 +161,10 @@ void ProfileLogger::Log()
 		       ));
 	*/
 
-	file->Write(fmt("%.06f Connections expired due to inactivity: %d\n",
+	file->Write(fmt("%.06f Connections expired due to inactivity: %" PRIu64 "\n",
 		network_time, killed_by_inactivity));
 
-	file->Write(fmt("%.06f Total reassembler data: %" PRIu64"K\n", network_time,
+	file->Write(fmt("%.06f Total reassembler data: %" PRIu64 "K\n", network_time,
 		Reassembler::TotalMemoryAllocation() / 1024));
 
 	// Signature engine.
@@ -173,9 +173,9 @@ void ProfileLogger::Log()
 		RuleMatcher::Stats stats;
 		rule_matcher->GetStats(&stats);
 
-		file->Write(fmt("%06f RuleMatcher: matchers=%d dfa_states=%d ncomputed=%d "
-			"mem=%dK avg_nfa_states=%d\n", network_time, stats.matchers,
-			stats.dfa_states, stats.computed, stats.mem / 1024, stats.avg_nfa_states));
+		file->Write(fmt("%06f RuleMatcher: matchers=%d nfa_states=%d dfa_states=%d "
+			"ncomputed=%d mem=%dK\n", network_time, stats.matchers,
+			stats.nfa_states, stats.dfa_states, stats.computed, stats.mem / 1024));
 		}
 
 	file->Write(fmt("%.06f Timers: current=%d max=%d mem=%dK lag=%.2fs\n",
@@ -362,12 +362,16 @@ SampleLogger::~SampleLogger()
 
 void SampleLogger::FunctionSeen(const Func* func)
 	{
-	load_samples->Assign(new StringVal(func->Name()), 0);
+	Val* idx = new StringVal(func->Name());
+	load_samples->Assign(idx, 0);
+	Unref(idx);
 	}
 
 void SampleLogger::LocationSeen(const Location* loc)
 	{
-	load_samples->Assign(new StringVal(loc->filename), 0);
+	Val* idx = new StringVal(loc->filename);
+	load_samples->Assign(idx, 0);
+	Unref(idx);
 	}
 
 void SampleLogger::SegmentProfile(const char* /* name */,
@@ -465,10 +469,10 @@ void PacketProfiler::ProfilePkt(double t, unsigned int bytes)
 		double curr_Rtime =
 			ptimestamp.tv_sec + ptimestamp.tv_usec / 1e6;
 
-		unsigned int curr_mem;
+		uint64 curr_mem;
 		get_memory_usage(&curr_mem, 0);
 
-		file->Write(fmt("%.06f %.03f %d %d %.03f %.03f %.03f %d\n",
+		file->Write(fmt("%.06f %.03f %" PRIu64 " %" PRIu64 " %.03f %.03f %.03f %" PRIu64 "\n",
 				t, time-last_timestamp, pkt_cnt, byte_cnt,
 				curr_Rtime - last_Rtime,
 				curr_Utime - last_Utime,
diff --git a/src/Stats.h b/src/Stats.h
index 1bcc2e18dc..7fbec8cab6 100644
--- a/src/Stats.h
+++ b/src/Stats.h
@@ -102,7 +102,7 @@ extern ProfileLogger* segment_logger;
 extern SampleLogger* sample_logger;
 
 // Connection statistics.
-extern int killed_by_inactivity;
+extern uint64 killed_by_inactivity;
 
 // Content gap statistics.
 extern uint64 tot_ack_events;
@@ -127,9 +127,9 @@ protected:
 	double update_freq;
 	double last_Utime, last_Stime, last_Rtime;
 	double last_timestamp, time;
-	unsigned int last_mem;
-	unsigned int pkt_cnt;
-	unsigned int byte_cnt;
+	uint64 last_mem;
+	uint64 pkt_cnt;
+	uint64 byte_cnt;
 };
 
 #endif
diff --git a/src/Timer.h b/src/Timer.h
index 615c8bf69a..e095421c30 100644
--- a/src/Timer.h
+++ b/src/Timer.h
@@ -109,11 +109,12 @@ public:
 
 	virtual int Size() const = 0;
 	virtual int PeakSize() const = 0;
+	virtual uint64 CumulativeNum() const = 0;
 
 	double LastTimestamp() const	{ return last_timestamp; }
 	// Returns time of last advance in global network time.
 	double LastAdvance() const	{ return last_advance; }
-	
+
 	static unsigned int* CurrentTimers()	{ return current_timers; }
 
 protected:
@@ -148,6 +149,7 @@ public:
 
 	int Size() const	{ return q->Size(); }
 	int PeakSize() const	{ return q->PeakSize(); }
+	uint64 CumulativeNum() const	{ return q->CumulativeNum(); }
 	unsigned int MemoryUsage() const;
 
 protected:
@@ -170,6 +172,7 @@ public:
 
 	int Size() const	{ return cq_size(cq); }
 	int PeakSize() const	{ return cq_max_size(cq); }
+	uint64 CumulativeNum() const	{ return cq_cumulative_num(cq); }
 	unsigned int MemoryUsage() const;
 
 protected:
diff --git a/src/Type.cc b/src/Type.cc
index 75f1f445df..1a6a4d36b8 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -1045,6 +1045,8 @@ TypeDecl* RecordType::FieldDecl(int field)
 
 void RecordType::Describe(ODesc* d) const
 	{
+	d->PushType(this);
+
 	if ( d->IsReadable() )
 		{
 		if ( d->IsShort() && GetName().size() )
@@ -1064,10 +1066,13 @@ void RecordType::Describe(ODesc* d) const
 		d->Add(int(Tag()));
 		DescribeFields(d);
 		}
+
+	d->PopType(this);
 	}
 
 void RecordType::DescribeReST(ODesc* d, bool roles_only) const
 	{
+	d->PushType(this);
 	d->Add(":bro:type:`record`");
 
 	if ( num_fields == 0 )
@@ -1075,6 +1080,7 @@ void RecordType::DescribeReST(ODesc* d, bool roles_only) const
 
 	d->NL();
 	DescribeFieldsReST(d, false);
+	d->PopType(this);
 	}
 
 const char* RecordType::AddFields(type_decl_list* others, attr_list* attr)
@@ -1129,7 +1135,12 @@ void RecordType::DescribeFields(ODesc* d) const
 			const TypeDecl* td = FieldDecl(i);
 			d->Add(td->id);
 			d->Add(":");
-			td->type->Describe(d);
+
+			if ( d->FindType(td->type) )
+				d->Add("<recursion>");
+			else
+				td->type->Describe(d);
+
 			d->Add(";");
 			}
 		}
@@ -1170,7 +1181,11 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
 			}
 
 		const TypeDecl* td = FieldDecl(i);
-		td->DescribeReST(d);
+
+		if ( d->FindType(td->type) )
+			d->Add("<recursion>");
+		else
+			td->DescribeReST(d);
 
 		if ( func_args )
 			continue;
diff --git a/src/Type.h b/src/Type.h
index e3d1167166..9f7a439986 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -182,6 +182,7 @@ public:
 		CHECK_TYPE_TAG(TYPE_FUNC, "BroType::AsFuncType");
 		return (const FuncType*) this;
 		}
+
 	FuncType* AsFuncType()
 		{
 		CHECK_TYPE_TAG(TYPE_FUNC, "BroType::AsFuncType");
@@ -201,7 +202,7 @@ public:
 		}
 
 	const VectorType* AsVectorType() const
-	        {
+		{
 		CHECK_TYPE_TAG(TYPE_VECTOR, "BroType::AsVectorType");
 		return (VectorType*) this;
 		}
@@ -219,19 +220,19 @@ public:
 		}
 
 	VectorType* AsVectorType()
-	        {
+		{
 		CHECK_TYPE_TAG(TYPE_VECTOR, "BroType::AsVectorType");
 		return (VectorType*) this;
 		}
 
 	const TypeType* AsTypeType() const
-	        {
+		{
 		CHECK_TYPE_TAG(TYPE_TYPE, "BroType::AsTypeType");
 		return (TypeType*) this;
 		}
 
 	TypeType* AsTypeType()
-	        {
+		{
 		CHECK_TYPE_TAG(TYPE_TYPE, "BroType::AsTypeType");
 		return (TypeType*) this;
 		}
diff --git a/src/Val.cc b/src/Val.cc
index 01a849c639..7341aada03 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -1323,7 +1323,7 @@ void TableVal::Init(TableType* t)
 	{
 	::Ref(t);
 	table_type = t;
-	expire_expr = 0;
+	expire_func = 0;
 	expire_time = 0;
 	expire_cookie = 0;
 	timer = 0;
@@ -1350,7 +1350,8 @@ TableVal::~TableVal()
 	delete subnets;
 	Unref(attrs);
 	Unref(def_val);
-	Unref(expire_expr);
+	Unref(expire_func);
+	Unref(expire_time);
 	}
 
 void TableVal::RemoveAll()
@@ -1399,8 +1400,8 @@ void TableVal::SetAttrs(Attributes* a)
 	Attr* ef = attrs->FindAttr(ATTR_EXPIRE_FUNC);
 	if ( ef )
 		{
-		expire_expr = ef->AttrExpr();
-		expire_expr->Ref();
+		expire_func = ef->AttrExpr();
+		expire_func->Ref();
 		}
 	}
 
@@ -1410,15 +1411,17 @@ void TableVal::CheckExpireAttr(attr_tag at)
 
 	if ( a )
 		{
-		Val* timeout = a->AttrExpr()->Eval(0);
-		if ( ! timeout )
+		expire_time = a->AttrExpr();
+		expire_time->Ref();
+
+		if ( expire_time->Type()->Tag() != TYPE_INTERVAL )
 			{
-			a->AttrExpr()->Error("value of timeout not fixed");
+			if ( ! expire_time->IsError() )
+				expire_time->SetError("expiration interval has wrong type");
+
 			return;
 			}
 
-		expire_time = timeout->AsInterval();
-
 		if ( timer )
 			timer_mgr->Cancel(timer);
 
@@ -1787,7 +1790,16 @@ Val* TableVal::Lookup(Val* index, bool use_default_val)
 		{
 		TableEntryVal* v = (TableEntryVal*) subnets->Lookup(index);
 		if ( v )
+			{
+			if ( attrs && attrs->FindAttr(ATTR_EXPIRE_READ) )
+					{
+					v->SetExpireAccess(network_time);
+					if ( LoggingAccess() && ExpirationEnabled() )
+						ReadOperation(index, v);
+					}
+
 			return v->Value() ? v->Value() : this;
+			}
 
 		if ( ! use_default_val )
 			return 0;
@@ -1810,12 +1822,10 @@ Val* TableVal::Lookup(Val* index, bool use_default_val)
 
 			if ( v )
 				{
-				if ( attrs &&
-				     ! (attrs->FindAttr(ATTR_EXPIRE_WRITE) ||
-					attrs->FindAttr(ATTR_EXPIRE_CREATE)) )
+				if ( attrs && attrs->FindAttr(ATTR_EXPIRE_READ) )
 					{
 					v->SetExpireAccess(network_time);
-					if ( LoggingAccess() && expire_time )
+					if ( LoggingAccess() && ExpirationEnabled() )
 						ReadOperation(index, v);
 					}
 
@@ -1833,6 +1843,57 @@ Val* TableVal::Lookup(Val* index, bool use_default_val)
 	return def;
 	}
 
+VectorVal* TableVal::LookupSubnets(const SubNetVal* search)
+	{
+	if ( ! subnets )
+		reporter->InternalError("LookupSubnets called on wrong table type");
+
+	VectorVal* result = new VectorVal(internal_type("subnet_vec")->AsVectorType());
+
+	auto matches = subnets->FindAll(search);
+	for ( auto element : matches )
+		{
+		SubNetVal* s = new SubNetVal(get<0>(element));
+		result->Assign(result->Size(), s);
+		}
+
+	return result;
+	}
+
+TableVal* TableVal::LookupSubnetValues(const SubNetVal* search)
+	{
+	if ( ! subnets )
+		reporter->InternalError("LookupSubnetValues called on wrong table type");
+
+	TableVal* nt = new TableVal(this->Type()->Ref()->AsTableType());
+
+	auto matches = subnets->FindAll(search);
+	for ( auto element : matches )
+		{
+		SubNetVal* s = new SubNetVal(get<0>(element));
+		TableEntryVal* entry = reinterpret_cast<TableEntryVal*>(get<1>(element));
+
+		if ( entry && entry->Value() )
+			nt->Assign(s, entry->Value()->Ref());
+		else
+			nt->Assign(s, 0); // set
+
+		if ( entry )
+			{
+			if ( attrs && attrs->FindAttr(ATTR_EXPIRE_READ) )
+				{
+				entry->SetExpireAccess(network_time);
+				if ( LoggingAccess() && ExpirationEnabled() )
+					ReadOperation(s, entry);
+				}
+			}
+
+		Unref(s); // assign does not consume index
+		}
+
+	return nt;
+	}
+
 bool TableVal::UpdateTimestamp(Val* index)
 	{
 	TableEntryVal* v;
@@ -1854,7 +1915,7 @@ bool TableVal::UpdateTimestamp(Val* index)
 		return false;
 
 	v->SetExpireAccess(network_time);
-	if ( attrs->FindAttr(ATTR_EXPIRE_READ) )
+	if ( LoggingAccess() && attrs->FindAttr(ATTR_EXPIRE_READ) )
 		ReadOperation(index, v);
 
 	return true;
@@ -2118,6 +2179,13 @@ void TableVal::DoExpire(double t)
 
 	PDict(TableEntryVal)* tbl = AsNonConstTable();
 
+	double timeout = GetExpireTime();
+
+	if ( timeout < 0 )
+		// Skip in case of unset/invalid expiration value. If it's an
+		// error, it has been reported already.
+		return;
+
 	if ( ! expire_cookie )
 		{
 		expire_cookie = tbl->InitForIteration();
@@ -2139,11 +2207,11 @@ void TableVal::DoExpire(double t)
 			// correct, so we just need to wait.
 			}
 
-		else if ( v->ExpireAccessTime() + expire_time < t )
+		else if ( v->ExpireAccessTime() + timeout < t )
 			{
 			Val* val = v->Value();
 
-			if ( expire_expr )
+			if ( expire_func )
 				{
 				Val* idx = RecoverIndex(k);
 				double secs = CallExpireFunc(idx);
@@ -2163,7 +2231,7 @@ void TableVal::DoExpire(double t)
 					{
 					// User doesn't want us to expire
 					// this now.
-					v->SetExpireAccess(network_time - expire_time + secs);
+					v->SetExpireAccess(network_time - timeout + secs);
 					delete k;
 					continue;
 					}
@@ -2200,9 +2268,27 @@ void TableVal::DoExpire(double t)
 		InitTimer(table_expire_delay);
 	}
 
+double TableVal::GetExpireTime()
+	{
+	if ( ! expire_time )
+		return -1;
+
+	Val* timeout = expire_time->Eval(0);
+
+	if ( timeout && (timeout->AsInterval() >= 0) )
+		return timeout->AsInterval();
+
+	expire_time = 0;
+
+	if ( timer )
+		timer_mgr->Cancel(timer);
+
+	return -1;
+	}
+
 double TableVal::CallExpireFunc(Val* idx)
 	{
-	if ( ! expire_expr )
+	if ( ! expire_func )
 		{
 		Unref(idx);
 		return 0;
@@ -2227,8 +2313,26 @@ double TableVal::CallExpireFunc(Val* idx)
 
 	try
 		{
-		Val* vs = expire_expr->Eval(0)->AsFunc()->Call(vl);
+		Val* vf = expire_func->Eval(0);
+
+		if ( ! vf )
+			{
+			// Will have been reported already.
+			delete_vals(vl);
+			return 0;
+			}
+
+		if ( vf->Type()->Tag() != TYPE_FUNC )
+			{
+			Unref(vf);
+			vf->Error("not a function");
+			return 0;
+			}
+
+		Val* vs = vf->AsFunc()->Call(vl);
 		secs = vs->AsInterval();
+
+		Unref(vf);
 		Unref(vs);
 		delete vl;
 		}
@@ -2243,11 +2347,18 @@ double TableVal::CallExpireFunc(Val* idx)
 
 void TableVal::ReadOperation(Val* index, TableEntryVal* v)
 	{
+	double timeout = GetExpireTime();
+
+	if ( timeout < 0 )
+		// Skip in case of unset/invalid expiration value. If it's an
+		// error, it has been reported already.
+		return;
+
 	// In theory we need to only propagate one update per &read_expire
 	// interval to prevent peers from expiring intervals. To account for
 	// practical issues such as latency, we send one update every half
 	// &read_expire.
-	if ( network_time - v->LastReadUpdate() > expire_time / 2 )
+	if ( network_time - v->LastReadUpdate() > timeout / 2 )
 		{
 		StateAccess::Log(new StateAccess(OP_READ_IDX, this, index));
 		v->SetLastReadUpdate(network_time);
@@ -2286,11 +2397,9 @@ bool TableVal::DoSerialize(SerialInfo* info) const
 		state->did_index = false;
 		info->s->WriteOpenTag(table_type->IsSet() ? "set" : "table");
 
-		if ( ! SERIALIZE(expire_time) )
-			return false;
-
 		SERIALIZE_OPTIONAL(attrs);
-		SERIALIZE_OPTIONAL(expire_expr);
+		SERIALIZE_OPTIONAL(expire_time);
+		SERIALIZE_OPTIONAL(expire_func);
 
 		// Make sure nobody kills us in between.
 		const_cast<TableVal*>(this)->Ref();
@@ -2343,7 +2452,7 @@ bool TableVal::DoSerialize(SerialInfo* info) const
 			}
 
 		// Serialize index.
-		if ( ! state->did_index )
+		if ( k && ! state->did_index )
 			{
 			// Indices are rather small, so we disable suspension
 			// here again.
@@ -2415,13 +2524,11 @@ bool TableVal::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(MutableVal);
 
-	if ( ! UNSERIALIZE(&expire_time) )
-		return false;
-
 	Init((TableType*) type);
 
 	UNSERIALIZE_OPTIONAL(attrs, Attributes::Unserialize(info));
-	UNSERIALIZE_OPTIONAL(expire_expr, Expr::Unserialize(info));
+	UNSERIALIZE_OPTIONAL(expire_time, Expr::Unserialize(info));
+	UNSERIALIZE_OPTIONAL(expire_func, Expr::Unserialize(info));
 
 	while ( true )
 		{
@@ -2478,7 +2585,7 @@ bool TableVal::DoUnserialize(UnserialInfo* info)
 		}
 
 	// If necessary, activate the expire timer.
-	if ( attrs)
+	if ( attrs )
 		{
 		CheckExpireAttr(ATTR_EXPIRE_READ);
 		CheckExpireAttr(ATTR_EXPIRE_WRITE);
diff --git a/src/Val.h b/src/Val.h
index c418addd55..160eeafe64 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -644,7 +644,7 @@ protected:
 	DECLARE_SERIAL(PatternVal);
 };
 
-// ListVals are mainly used to index tables that have more than one 
+// ListVals are mainly used to index tables that have more than one
 // element in their index.
 class ListVal : public Val {
 public:
@@ -753,10 +753,11 @@ public:
 	TableVal(TableType* t, Attributes* attrs = 0);
 	~TableVal();
 
-	// Returns true if the assignment typechecked, false if not.
-	// Second version takes a HashKey and Unref()'s it when done.
-	// If we're a set, new_val has to be nil.
-	// If we aren't a set, index may be nil in the second version.
+	// Returns true if the assignment typechecked, false if not. The
+	// methods take ownership of new_val, but not of the index. Second
+	// version takes a HashKey and Unref()'s it when done. If we're a
+	// set, new_val has to be nil. If we aren't a set, index may be nil
+	// in the second version.
 	int Assign(Val* index, Val* new_val, Opcode op = OP_ASSIGN);
 	int Assign(Val* index, HashKey* k, Val* new_val, Opcode op = OP_ASSIGN);
 
@@ -789,6 +790,16 @@ public:
 	// need to Ref/Unref it when calling the default function.
 	Val* Lookup(Val* index, bool use_default_val = true);
 
+	// For a table[subnet]/set[subnet], return all subnets that cover
+	// the given subnet.
+	// Causes an internal error if called for any other kind of table.
+	VectorVal* LookupSubnets(const SubNetVal* s);
+
+	// For a set[subnet]/table[subnet], return a new table that only contains
+	// entries that cover the given subnet.
+	// Causes an internal error if called for any other kind of table.
+	TableVal* LookupSubnetValues(const SubNetVal* s);
+
 	// Sets the timestamp for the given index to network time.
 	// Returns false if index does not exist.
 	bool UpdateTimestamp(Val* index);
@@ -813,6 +824,11 @@ public:
 	int Size() const	{ return AsTable()->Length(); }
 	int RecursiveSize() const;
 
+	// Returns the Prefix table used inside the table (if present).
+	// This allows us to do more direct queries to this specialized
+	// type that the general Table API does not allow.
+	const PrefixTable* Subnets() const { return subnets; }
+
 	void Describe(ODesc* d) const override;
 
 	void InitTimer(double delay);
@@ -846,6 +862,14 @@ protected:
 	// Calculates default value for index.  Returns 0 if none.
 	Val* Default(Val* index);
 
+	// Returns true if item expiration is enabled.
+	bool ExpirationEnabled()	{ return expire_time != 0; }
+
+	// Returns the expiration time defined by %{create,read,write}_expire
+	// attribute, or -1 for unset/invalid values. In the invalid case, an
+	// error will have been reported.
+	double GetExpireTime();
+
 	// Calls &expire_func and returns its return interval;
 	// takes ownership of the reference.
 	double CallExpireFunc(Val *idx);
@@ -858,8 +882,8 @@ protected:
 	TableType* table_type;
 	CompositeHash* table_hash;
 	Attributes* attrs;
-	double expire_time;
-	Expr* expire_expr;
+	Expr* expire_time;
+	Expr* expire_func;
 	TableValTimer* timer;
 	IterCookie* expire_cookie;
 	PrefixTable* subnets;
diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc
index b4048af467..b44e0cc978 100644
--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@@ -395,7 +395,7 @@ bool Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init)
 	// the list.
 
 	analyzer->parent = this;
-	children.push_back(analyzer);
+	new_children.push_back(analyzer);
 
 	if ( init )
 		analyzer->Init();
@@ -474,6 +474,13 @@ Analyzer* Analyzer::FindChild(ID arg_id)
 			return child;
 		}
 
+	LOOP_OVER_GIVEN_CHILDREN(i, new_children)
+		{
+		Analyzer* child = (*i)->FindChild(arg_id);
+		if ( child )
+			return child;
+		}
+
 	return 0;
 	}
 
@@ -489,6 +496,13 @@ Analyzer* Analyzer::FindChild(Tag arg_tag)
 			return child;
 		}
 
+	LOOP_OVER_GIVEN_CHILDREN(i, new_children)
+		{
+		Analyzer* child = (*i)->FindChild(arg_tag);
+		if ( child )
+			return child;
+		}
+
 	return 0;
 	}
 
@@ -655,11 +669,7 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
 	vl->append(BuildConnVal());
 	vl->append(tval);
 	vl->append(new Val(id, TYPE_COUNT));
-
-	// We immediately raise the event so that the analyzer can quickly
-	// react if necessary.
-	::Event* e = new ::Event(protocol_confirmation, vl, SOURCE_LOCAL);
-	mgr.Dispatch(e);
+	mgr.QueueEvent(protocol_confirmation, vl);
 
 	protocol_confirmed = true;
 	}
@@ -687,11 +697,7 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
 	vl->append(tval);
 	vl->append(new Val(id, TYPE_COUNT));
 	vl->append(r);
-
-	// We immediately raise the event so that the analyzer can quickly be
-	// disabled if necessary.
-	::Event* e = new ::Event(protocol_violation, vl, SOURCE_LOCAL);
-	mgr.Dispatch(e);
+	mgr.QueueEvent(protocol_violation, vl);
 	}
 
 void Analyzer::AddTimer(analyzer_timer_func timer, double t,
diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h
index 83157aadde..df77a990ce 100644
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@@ -427,6 +427,10 @@ public:
 
 	/**
 	 * Returns a list of all direct child analyzers.
+	 *
+	 * Note that this does not include the list of analyzers that are
+	 * currently queued up to be added. If you just added an analyzer,
+	 * it will not immediately be in this list.
 	 */
 	const analyzer_list& GetChildren()	{ return children; }
 
diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc
index 67aa6a0d33..6082f433da 100644
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@@ -361,7 +361,6 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 	icmp::ICMP_Analyzer* icmp = 0;
 	TransportLayerAnalyzer* root = 0;
 	pia::PIA* pia = 0;
-	bool analyzed = false;
 	bool check_port = false;
 
 	switch ( conn->ConnTransport() ) {
@@ -383,7 +382,6 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 	case TRANSPORT_ICMP: {
 		root = icmp = new icmp::ICMP_Analyzer(conn);
 		DBG_ANALYZER(conn, "activated ICMP analyzer");
-		analyzed = true;
 		break;
 		}
 
@@ -495,16 +493,10 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 	if ( pia )
 		root->AddChildAnalyzer(pia->AsAnalyzer());
 
-	if ( root->GetChildren().size() )
-		analyzed = true;
-
 	conn->SetRootAnalyzer(root, pia);
 	root->Init();
 	root->InitChildren();
 
-	if ( ! analyzed )
-		conn->SetLifetime(non_analyzed_lifetime);
-
 	PLUGIN_HOOK_VOID(HOOK_SETUP_ANALYZER_TREE, HookSetupAnalyzerTree(conn));
 
 	return true;
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index 467fce83ee..dad19f718c 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -16,6 +16,7 @@ add_subdirectory(gtpv1)
 add_subdirectory(http)
 add_subdirectory(icmp)
 add_subdirectory(ident)
+add_subdirectory(imap)
 add_subdirectory(interconn)
 add_subdirectory(irc)
 add_subdirectory(krb)
@@ -30,6 +31,7 @@ add_subdirectory(pia)
 add_subdirectory(pop3)
 add_subdirectory(radius)
 add_subdirectory(rdp)
+add_subdirectory(rfb)
 add_subdirectory(rpc)
 add_subdirectory(sip)
 add_subdirectory(snmp)
@@ -43,4 +45,5 @@ add_subdirectory(syslog)
 add_subdirectory(tcp)
 add_subdirectory(teredo)
 add_subdirectory(udp)
+add_subdirectory(xmpp)
 add_subdirectory(zip)
diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc
index 5cbb25451b..b9af26ecfa 100644
--- a/src/analyzer/protocol/arp/ARP.cc
+++ b/src/analyzer/protocol/arp/ARP.cc
@@ -10,9 +10,6 @@ using namespace analyzer::arp;
 
 ARP_Analyzer::ARP_Analyzer()
 	{
-	bad_arp = internal_handler("bad_arp");
-	arp_request = internal_handler("arp_request");
-	arp_reply = internal_handler("arp_reply");
 	}
 
 ARP_Analyzer::~ARP_Analyzer()
diff --git a/src/analyzer/protocol/arp/ARP.h b/src/analyzer/protocol/arp/ARP.h
index c4deddee03..1bdd382714 100644
--- a/src/analyzer/protocol/arp/ARP.h
+++ b/src/analyzer/protocol/arp/ARP.h
@@ -50,10 +50,6 @@ protected:
 	StringVal* EthAddrToStr(const u_char* addr);
 	void BadARP(const struct arp_pkthdr* hdr, const char* string);
 	void Corrupted(const char* string);
-
-	EventHandlerPtr arp_corrupted_packet;
-	EventHandlerPtr arp_request;
-	EventHandlerPtr arp_reply;
 };
 
 } } // namespace analyzer::* 
diff --git a/src/analyzer/protocol/conn-size/ConnSize.cc b/src/analyzer/protocol/conn-size/ConnSize.cc
index 183ee1e233..4fd4154c05 100644
--- a/src/analyzer/protocol/conn-size/ConnSize.cc
+++ b/src/analyzer/protocol/conn-size/ConnSize.cc
@@ -12,7 +12,8 @@ using namespace analyzer::conn_size;
 
 ConnSize_Analyzer::ConnSize_Analyzer(Connection* c)
     : Analyzer("CONNSIZE", c),
-      orig_bytes(), resp_bytes(), orig_pkts(), resp_pkts()
+      orig_bytes(), resp_bytes(), orig_pkts(), resp_pkts(),
+      orig_bytes_thresh(), resp_bytes_thresh(), orig_pkts_thresh(), resp_pkts_thresh()
 	{
 	}
 
diff --git a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
index a967940ca6..a11412ce96 100644
--- a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
@@ -237,7 +237,7 @@ flow DHCP_Flow(is_orig: bool) {
 
 		Unref(dhcp_msg_val_);
 
-		const char* mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length());
+		std::string mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length());
 
 		RecordVal* r = new RecordVal(dhcp_msg);
 		r->Assign(0, new Val(${msg.op}, TYPE_COUNT));
@@ -247,8 +247,6 @@ flow DHCP_Flow(is_orig: bool) {
 		r->Assign(4, new AddrVal(${msg.ciaddr}));
 		r->Assign(5, new AddrVal(${msg.yiaddr}));
 
-		delete [] mac_str;
-
 		dhcp_msg_val_ = r;
 
 		switch ( ${msg.op} )
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index b449589e6c..1fc94a80ba 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -282,6 +282,10 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 			status = ParseRR_TXT(msg, data, len, rdlength, msg_start);
 			break;
 
+		case TYPE_CAA:
+			status = ParseRR_CAA(msg, data, len, rdlength, msg_start);
+			break;
+
 		case TYPE_NBS:
 			status = ParseRR_NBS(msg, data, len, rdlength, msg_start);
 			break;
@@ -904,6 +908,51 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
 	return rdlength == 0;
 	}
 
+int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	if ( ! dns_CAA_reply || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return 1;
+		}
+
+	unsigned int flags = ExtractShort(data, len);
+	unsigned int tagLen = flags & 0xff;
+	flags = flags >> 8;
+	rdlength -= 2;
+	if ( (int) tagLen >= rdlength )
+		{
+		analyzer->Weird("DNS_CAA_char_str_past_rdlen");
+		return 0;
+		}
+	BroString* tag = new BroString(data, tagLen, 1);
+	len -= tagLen;
+	data += tagLen;
+	rdlength -= tagLen;
+	BroString* value = new BroString(data, rdlength, 0);
+
+	len -= value->Len();
+	data += value->Len();
+	rdlength -= value->Len();
+
+	val_list* vl = new val_list;
+
+	vl->append(analyzer->BuildConnVal());
+	vl->append(msg->BuildHdrVal());
+	vl->append(msg->BuildAnswerVal());
+	vl->append(new Val(flags, TYPE_COUNT));
+	vl->append(new StringVal(tag));
+	vl->append(new StringVal(value));
+
+	analyzer->ConnectionEvent(dns_CAA_reply, vl);
+
+	return rdlength == 0;
+	}
+
+
 void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
 						EventHandlerPtr event,
 						const u_char*& data, int& len,
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index 59f51812ca..87618cd18e 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -56,6 +56,7 @@ typedef enum {
 	TYPE_EDNS = 41,		///< OPT pseudo-RR (RFC 2671)
 	TYPE_TKEY = 249,	///< Transaction Key (RFC 2930)
 	TYPE_TSIG = 250,	///< Transaction Signature (RFC 2845)
+	TYPE_CAA = 257,		///< Certification Authority Authorization (RFC 6844)
 
 	// The following are only valid in queries.
 	TYPE_AXFR = 252,
@@ -132,7 +133,7 @@ public:
 	StringVal* query_name;
 	RR_Type atype;
 	int aclass;	///< normally = 1, inet
-	int ttl;
+	uint32 ttl;
 
 	DNS_AnswerType answer_type;
 	int skip_event;		///< if true, don't generate corresponding events
@@ -211,6 +212,9 @@ protected:
 	int ParseRR_TXT(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start);
+	int ParseRR_CAA(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
 	int ParseRR_TSIG(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start);
diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif
index 9350939a2e..ae796c8e4c 100644
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@@ -378,6 +378,25 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec%);
 
+## Generated for DNS replies of type *CAA* (Certification Authority Authorization).
+## For replies with multiple answers, an individual event of the corresponding type
+## is raised for each.
+## See `RFC 6844 <https://tools.ietf.org/html/rfc6844>`__ for more details.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## flags: The flags byte of the CAA reply.
+##
+## tag: The property identifier of the CAA reply.
+##
+## value: The property value of the CAA reply.
+event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string%);
+
 ## Generated for DNS replies of type *SRV*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
 ##
diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc
index 6a5865383b..a9818ff7af 100644
--- a/src/analyzer/protocol/finger/Finger.cc
+++ b/src/analyzer/protocol/finger/Finger.cc
@@ -54,7 +54,9 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 		if ( long_cnt )
 			line = skip_whitespace(line+2, end_of_line);
 
-		const char* at = strchr_n(line, end_of_line, '@');
+		assert(line <= end_of_line);
+		size_t n = end_of_line >= line ? end_of_line - line : 0; // just to be sure if assertions aren't on.
+		const char* at = reinterpret_cast<const char*>(memchr(line, '@', n));
 		const char* host = 0;
 		if ( ! at )
 			at = host = end_of_line;
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index 36c92ed6e6..c1f4320c04 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -1209,7 +1209,15 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 	const char* end_of_method = get_HTTP_token(line, end_of_line);
 
 	if ( end_of_method == line )
+		{
+		// something went wrong with get_HTTP_token
+		// perform a weak test to see if the string "HTTP/"
+		// is found at the end of the RequestLine
+		if ( end_of_line - 9 >= line && strncasecmp(end_of_line - 9, " HTTP/", 6) == 0 )
+			goto bad_http_request_with_version;
+
 		goto error;
+	}
 
 	rest = skip_whitespace(end_of_method, end_of_line);
 
@@ -1230,6 +1238,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 
 	return 1;
 
+bad_http_request_with_version:
+	reporter->Weird(Conn(), "bad_HTTP_request_with_version");
+	return 0;
+
 error:
 	reporter->Weird(Conn(), "bad_HTTP_request");
 	return 0;
@@ -1370,7 +1382,7 @@ void HTTP_Analyzer::HTTP_Request()
 	const char* method = (const char*) request_method->AsString()->Bytes();
 	int method_len = request_method->AsString()->Len();
 
-	if ( strcasecmp_n(method_len, method, "CONNECT") == 0 )
+	if ( strncasecmp(method, "CONNECT", method_len) == 0 )
 		connect_request = true;
 
 	if ( http_request )
@@ -1564,7 +1576,7 @@ int HTTP_Analyzer::ExpectReplyMessageBody()
 
 	const BroString* method = UnansweredRequestMethod();
 
-	if ( method && strcasecmp_n(method->Len(), (const char*) (method->Bytes()), "HEAD") == 0 )
+	if ( method && strncasecmp((const char*) (method->Bytes()), "HEAD", method->Len()) == 0 )
 		return HTTP_BODY_NOT_EXPECTED;
 
 	if ( (reply_code >= 100 && reply_code < 200) ||
@@ -1801,12 +1813,12 @@ void HTTP_Analyzer::SkipEntityData(int is_orig)
 	}
 
 int analyzer::http::is_reserved_URI_char(unsigned char ch)
-	{ // see RFC 2396 (definition of URI)
-	return strchr(";/?:@&=+$,", ch) != 0;
+	{ // see RFC 3986 (definition of URI)
+	return strchr(":/?#[]@!$&'()*+,;=", ch) != 0;
 	}
 
 int analyzer::http::is_unreserved_URI_char(unsigned char ch)
-	{ // see RFC 2396 (definition of URI)
+	{ // see RFC 3986 (definition of URI)
 	return isalnum(ch) || strchr("-_.!~*\'()", ch) != 0;
 	}
 
@@ -1823,19 +1835,6 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e
 	byte_vec decoded_URI = new u_char[line_end - line + 1];
 	byte_vec URI_p = decoded_URI;
 
-	// An 'unescaped_special_char' here means a character that *should*
-	// be escaped, but isn't in the URI.  A control characters that
-	// appears directly in the URI would be an example.  The RFC implies
-	// that if we do not unescape the URI that we see in the trace, every
-	// character should be a printable one -- either reserved or unreserved
-	// (or '%').
-	//
-	// Counting the number of unescaped characters and generating a weird
-	// event on URI's with unescaped characters (which are rare) will
-	// let us locate strange-looking URI's in the trace -- those URI's
-	// are often interesting.
-	int unescaped_special_char = 0;
-
 	while ( line < line_end )
 		{
 		if ( *line == '%' )
@@ -1869,6 +1868,36 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e
 				++line; // place line at the last hex digit
 				}
 
+			else if ( line_end - line >= 5 &&
+			          line[0] == 'u' &&
+			          isxdigit(line[1]) &&
+			          isxdigit(line[2]) &&
+			          isxdigit(line[3]) &&
+			          isxdigit(line[4]) )
+				{
+				// Decode escaping like this: %u00AE
+				// The W3C rejected escaping this way, and
+				// there is no RFC that specifies it.
+				// Appparently there is some software doing
+				// this sort of 4 byte unicode encoding anyway.
+				// Likely causing an increase in it's use is
+				// the third edition of the ECMAScript spec
+				// having functions for encoding and decoding
+				// data in this format.
+
+				// If the first byte is null, let's eat it.
+				// It could just be ASCII encoded into this
+				// unicode escaping structure.
+				if ( ! (line[1] == '0' && line[2] == '0' ) )
+					*URI_p++ = (decode_hex(line[1]) << 4) +
+					            decode_hex(line[2]);
+
+				*URI_p++ = (decode_hex(line[3]) << 4) +
+					    decode_hex(line[4]);
+
+				line += 4;
+				}
+
 			else
 				{
 				if ( analyzer )
@@ -1879,23 +1908,12 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e
 			}
 
 		else
-			{
-			if ( ! is_reserved_URI_char(*line) &&
-			     ! is_unreserved_URI_char(*line) )
-				// Count these up as a way to compress
-				// the corresponding Weird event to a
-				// single instance.
-				++unescaped_special_char;
 			*URI_p++ = *line;
-			}
 
 		++line;
 		}
 
 	URI_p[0] = 0;
 
-	if ( unescaped_special_char && analyzer )
-		analyzer->Weird("unescaped_special_URI_char");
-
 	return new BroString(1, decoded_URI, URI_p - decoded_URI);
 	}
diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc
index 8d57da3477..f668be921c 100644
--- a/src/analyzer/protocol/ident/Ident.cc
+++ b/src/analyzer/protocol/ident/Ident.cc
@@ -153,8 +153,10 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 		else
 			{
 			const char* sys_type = line;
-			const char* colon = strchr_n(line, end_of_line, ':');
-			const char* comma = strchr_n(line, end_of_line, ',');
+			assert(line <= end_of_line);
+			size_t n = end_of_line >= line ? end_of_line - line : 0; // just to be sure if assertions aren't on.
+			const char* colon = reinterpret_cast<const char*>(memchr(line, ':', n));
+			const char* comma = reinterpret_cast<const char*>(memchr(line, ',', n));
 			if ( ! colon )
 				{
 				BadReply(length, orig_line);
diff --git a/src/analyzer/protocol/imap/CMakeLists.txt b/src/analyzer/protocol/imap/CMakeLists.txt
new file mode 100644
index 0000000000..921dde2444
--- /dev/null
+++ b/src/analyzer/protocol/imap/CMakeLists.txt
@@ -0,0 +1,12 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro IMAP)
+bro_plugin_cc(Plugin.cc)
+bro_plugin_cc(IMAP.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(imap.pac imap-analyzer.pac imap-protocol.pac)
+bro_plugin_end()
+
diff --git a/src/analyzer/protocol/imap/IMAP.cc b/src/analyzer/protocol/imap/IMAP.cc
new file mode 100644
index 0000000000..ea09a66717
--- /dev/null
+++ b/src/analyzer/protocol/imap/IMAP.cc
@@ -0,0 +1,85 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "IMAP.h"
+#include "analyzer/protocol/tcp/TCP_Reassembler.h"
+#include "analyzer/Manager.h"
+
+using namespace analyzer::imap;
+
+IMAP_Analyzer::IMAP_Analyzer(Connection* conn)
+	: tcp::TCP_ApplicationAnalyzer("IMAP", conn)
+	{
+	interp = new binpac::IMAP::IMAP_Conn(this);
+	had_gap = false;
+	tls_active = false;
+	}
+
+IMAP_Analyzer::~IMAP_Analyzer()
+	{
+	delete interp;
+	}
+
+void IMAP_Analyzer::Done()
+	{
+	tcp::TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	}
+
+void IMAP_Analyzer::EndpointEOF(bool is_orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	interp->FlowEOF(is_orig);
+	}
+
+void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	if ( tls_active )
+		{
+		// If TLS has been initiated, forward to child and abort further
+		// processing
+		ForwardStream(len, data, orig);
+		return;
+		}
+
+	assert(TCP());
+	if ( TCP()->IsPartial() )
+		return;
+
+	if ( had_gap )
+		// If only one side had a content gap, we could still try to
+		// deliver data to the other side if the script layer can
+		// handle this.
+		return;
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
+
+void IMAP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	had_gap = true;
+	interp->NewGap(orig, len);
+	}
+
+void IMAP_Analyzer::StartTLS()
+	{
+	// StartTLS was called. This means we saw a client starttls followed
+	// by a server proceed. From here on, everything should be a binary
+	// TLS datastream.
+	tls_active = true;
+
+	Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
+	if ( ssl )
+		AddChildAnalyzer(ssl);
+	}
diff --git a/src/analyzer/protocol/imap/IMAP.h b/src/analyzer/protocol/imap/IMAP.h
new file mode 100644
index 0000000000..e71770d360
--- /dev/null
+++ b/src/analyzer/protocol/imap/IMAP.h
@@ -0,0 +1,40 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ANALYZER_PROTOCOL_IMAP_IMAP_H
+#define ANALYZER_PROTOCOL_IMAP_IMAP_H
+
+// for std::transform
+#include <algorithm>
+#include "analyzer/protocol/tcp/TCP.h"
+
+#include "imap_pac.h"
+
+namespace analyzer { namespace imap {
+
+class IMAP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+public:
+	IMAP_Analyzer(Connection* conn);
+	virtual ~IMAP_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
+
+	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	virtual void EndpointEOF(bool is_orig);
+
+	void StartTLS();
+
+	static analyzer::Analyzer* Instantiate(Connection* conn)
+		{ return new IMAP_Analyzer(conn); }
+
+protected:
+	binpac::IMAP::IMAP_Conn* interp;
+	bool had_gap;
+
+	bool tls_active;
+};
+
+} } // namespace analyzer::*
+
+#endif /* ANALYZER_PROTOCOL_IMAP_IMAP_H */
diff --git a/src/analyzer/protocol/imap/Plugin.cc b/src/analyzer/protocol/imap/Plugin.cc
new file mode 100644
index 0000000000..63358f1aeb
--- /dev/null
+++ b/src/analyzer/protocol/imap/Plugin.cc
@@ -0,0 +1,22 @@
+// See the file  in the main distribution directory for copyright.
+#include "plugin/Plugin.h"
+#include "IMAP.h"
+
+namespace plugin {
+namespace Bro_IMAP {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::analyzer::Component("IMAP", ::analyzer::imap::IMAP_Analyzer::Instantiate));
+
+		plugin::Configuration config;
+		config.name = "Bro::IMAP";
+		config.description = "IMAP analyzer (StartTLS only)";
+		return config;
+		}
+} plugin;
+
+}
+}
diff --git a/src/analyzer/protocol/imap/events.bif b/src/analyzer/protocol/imap/events.bif
new file mode 100644
index 0000000000..8d70dda26f
--- /dev/null
+++ b/src/analyzer/protocol/imap/events.bif
@@ -0,0 +1,13 @@
+## Generated when a server sends a capability list to the client,
+## after being queried using the CAPABILITY command.
+##
+## c: The connection.
+##
+## capabilities: The list of IMAP capabilities as sent by the server.
+event imap_capabilities%(c: connection, capabilities: string_vec%);
+
+## Generated when a IMAP connection goes encrypted after a successful
+## StartTLS exchange between the client and the server.
+##
+## c: The connection.
+event imap_starttls%(c: connection%);
diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac
new file mode 100644
index 0000000000..353aadb7ce
--- /dev/null
+++ b/src/analyzer/protocol/imap/imap-analyzer.pac
@@ -0,0 +1,76 @@
+refine connection IMAP_Conn += {
+
+	%member{
+		string client_starttls_id;
+	%}
+
+	%init{
+	%}
+
+	function proc_imap_token(is_orig: bool, tag: bytestring, command: bytestring): bool
+		%{
+		string commands = std_str(command);
+		std::transform(commands.begin(), commands.end(), commands.begin(), ::tolower);
+
+		string tags = std_str(tag);
+
+		//printf("imap %s %s\n", commands.c_str(), tags.c_str());
+
+		if ( !is_orig && tags == "*" && commands == "ok" )
+			bro_analyzer()->ProtocolConfirmation();
+
+		if ( is_orig && ( command == "capability" || commands == "starttls" ) )
+			bro_analyzer()->ProtocolConfirmation();
+
+		if ( command == "authenticate" || command == "login" || command == "examine" || command == "create" || command == "list" || command == "fetch" )
+			{
+			bro_analyzer()->ProtocolConfirmation();
+			// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
+			bro_analyzer()->SetSkip(true);
+			return true;
+			}
+
+		if ( is_orig && commands == "starttls" )
+			{
+			if ( !client_starttls_id.empty() )
+				reporter->Weird(bro_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS");
+
+			client_starttls_id = tags;
+			}
+
+		if ( !is_orig && !client_starttls_id.empty() && tags == client_starttls_id )
+			{
+			if ( commands == "ok" )
+				{
+				bro_analyzer()->StartTLS();
+				BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
+				}
+			else
+				reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS");
+			}
+
+		return true;
+		%}
+
+	function proc_server_capability(capabilities: Capability[]): bool
+		%{
+		VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType());
+		for ( unsigned int i = 0; i< capabilities->size(); i++ )
+			{
+			const bytestring& capability = (*capabilities)[i]->cap();
+			capv->Assign(i, new StringVal(capability.length(), (const char*)capability.data()));
+			}
+
+		BifEvent::generate_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), capv);
+		return true;
+		%}
+
+};
+
+refine typeattr ImapToken += &let {
+	proc: bool = $context.connection.proc_imap_token(is_orig, tag, command);
+};
+
+refine typeattr ServerCapability += &let {
+	proc: bool = $context.connection.proc_server_capability(capabilities);
+};
diff --git a/src/analyzer/protocol/imap/imap-protocol.pac b/src/analyzer/protocol/imap/imap-protocol.pac
new file mode 100644
index 0000000000..b1964b2bb8
--- /dev/null
+++ b/src/analyzer/protocol/imap/imap-protocol.pac
@@ -0,0 +1,70 @@
+# commands that we support parsing. The numbers do not really mean anything
+# in this case
+enum ImapCommand {
+	CMD_CAPABILITY,
+	CMD_UNKNOWN
+}
+
+type TAG = RE/[[:alnum:][:punct:]]+/;
+type CONTENT = RE/[^\r\n]*/;
+type SPACING = RE/[ ]+/;
+type OPTIONALSPACING = RE/[ ]*/;
+type NEWLINE = RE/[\r\n]+/;
+type OPTIONALNEWLINE = RE/[\r\n]*/;
+
+type IMAP_PDU(is_orig: bool) = ImapToken(is_orig)[] &until($input.length() == 0);
+
+type ImapToken(is_orig: bool) = record {
+	tag : TAG;
+	: SPACING;
+	command: TAG;
+	: OPTIONALSPACING;
+	client_or_server: case is_orig of {
+		true -> client: UnknownCommand(this) ;
+		false -> server: ServerContentText(this);
+	} &requires(pcommand) ;
+} &let {
+	pcommand: int = $context.connection.determine_command(is_orig, tag, command);
+};
+
+type ServerContentText(rec: ImapToken) = case rec.pcommand of {
+	CMD_CAPABILITY -> capability: ServerCapability(rec);
+	default -> unknown: UnknownCommand(rec);
+};
+
+type Capability = record {
+	cap: TAG;
+	: OPTIONALSPACING;
+	nl: OPTIONALNEWLINE;
+};
+
+type ServerCapability(rec: ImapToken) = record {
+	capabilities: Capability[] &until($context.connection.strlen($element.nl) > 0);
+};
+
+type UnknownCommand(rec: ImapToken) = record {
+	tagcontent: CONTENT;
+	: NEWLINE;
+};
+
+refine connection IMAP_Conn += {
+
+	function determine_command(is_orig: bool, tag: bytestring, command: bytestring): int
+		%{
+		string cmdstr = std_str(command);
+		std::transform(cmdstr.begin(), cmdstr.end(), cmdstr.begin(), ::tolower);
+		string tagstr = std_str(tag);
+
+		if ( !is_orig && cmdstr == "capability" && tag == "*" ) {
+			return CMD_CAPABILITY;
+		}
+
+		return CMD_UNKNOWN;
+		%}
+
+	function strlen(str: bytestring): int
+		%{
+		return str.length();
+		%}
+
+};
diff --git a/src/analyzer/protocol/imap/imap.pac b/src/analyzer/protocol/imap/imap.pac
new file mode 100644
index 0000000000..f5c7559294
--- /dev/null
+++ b/src/analyzer/protocol/imap/imap.pac
@@ -0,0 +1,37 @@
+# binpac file for the IMAP analyzer.
+# Note that we currently do not even try to parse the protocol
+# completely -- this is only supposed to be able to parse imap
+# till StartTLS does (or does not) kick in.
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+#include "events.bif.h"
+
+namespace analyzer { namespace imap { class IMAP_Analyzer; } }
+namespace binpac { namespace IMAP { class IMAP_Conn; } }
+typedef analyzer::imap::IMAP_Analyzer* IMAPAnalyzer;
+
+#include "IMAP.h"
+%}
+
+extern type IMAPAnalyzer;
+
+analyzer IMAP withcontext {
+	connection:	 IMAP_Conn;
+	flow:		 IMAP_Flow;
+};
+
+connection IMAP_Conn(bro_analyzer: IMAPAnalyzer) {
+	upflow = IMAP_Flow(true);
+	downflow = IMAP_Flow(false);
+};
+
+%include imap-protocol.pac
+
+flow IMAP_Flow(is_orig: bool) {
+	datagram = IMAP_PDU(is_orig) withcontext(connection, this);
+};
+
+%include imap-analyzer.pac
diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc
index 2ed04ee6b1..a26045f250 100644
--- a/src/analyzer/protocol/irc/IRC.cc
+++ b/src/analyzer/protocol/irc/IRC.cc
@@ -32,6 +32,15 @@ void IRC_Analyzer::Done()
 	tcp::TCP_ApplicationAnalyzer::Done();
 	}
 
+inline void IRC_Analyzer::SkipLeadingWhitespace(string& str)
+	{
+	const auto first_char = str.find_first_not_of(" ");
+	if ( first_char == string::npos )
+		str = "";
+	else
+		str = str.substr(first_char);
+	}
+
 void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
@@ -49,20 +58,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		return;
 		}
 
-	if ( length < 2 )
+	string myline = string((const char*) line, length);
+	SkipLeadingWhitespace(myline);
+
+	if ( myline.length() < 3 )
 		{
 		Weird("irc_line_too_short");
 		return;
 		}
 
-	string myline = string((const char*) line);
-
 	// Check for prefix.
 	string prefix = "";
-	if ( line[0] == ':' )
+	if ( myline[0] == ':' )
 		{ // find end of prefix and extract it
-		unsigned int pos = myline.find(' ');
-		if ( pos > (unsigned int) length )
+		auto pos = myline.find(' ');
+		if ( pos == string::npos )
 			{
 			Weird("irc_invalid_line");
 			return;
@@ -70,9 +80,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		prefix = myline.substr(1, pos - 1);
 		myline = myline.substr(pos + 1);  // remove prefix from line
+		SkipLeadingWhitespace(myline);
 		}
 
-
 	if ( orig )
 		ProtocolConfirmation();
 
@@ -80,7 +90,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	string command = "";
 
 	// Check if line is long enough to include status code or command.
-	if ( myline.size() < 4 )
+	// (shortest command with optional params is "WHO")
+	if ( myline.length() < 3 )
 		{
 		Weird("irc_invalid_line");
 		ProtocolViolation("line too short");
@@ -106,28 +117,30 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		}
 	else
 		{ // get command
-
-		// special case that has no arguments
-		if ( myline == "STARTTLS" )
-			return;
-
-		unsigned int pos = myline.find(' ');
-		if ( pos > (unsigned int) length )
-			{
-			Weird("irc_invalid_line");
-			return;
-			}
+		auto pos = myline.find(' ');
+		// Not all commands require parameters
+		if ( pos == string::npos )
+			pos = myline.length();
 
 		command = myline.substr(0, pos);
 		for ( unsigned int i = 0; i < command.size(); ++i )
 			command[i] = toupper(command[i]);
 
+		// Adjust for the no-parameter case
+		if ( pos == myline.length() )
+			pos--;
+
 		myline = myline.substr(pos + 1);
+		SkipLeadingWhitespace(myline);
 		}
 
 	// Extract parameters.
 	string params = myline;
 
+	// special case
+	if ( command == "STARTTLS" )
+		return;
+
 	// Check for Server2Server - connections with ZIP enabled.
 	if ( orig && orig_status == WAIT_FOR_REGISTRATION )
 		{
@@ -148,7 +161,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		//
 		// (### This seems not quite prudent to me - VP)
 		if ( command == "SERVER" && prefix == "")
-		        {
+			{
 			orig_status = REGISTERED;
 			}
 		}
@@ -156,7 +169,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	if ( ! orig && resp_status == WAIT_FOR_REGISTRATION )
 		{
 		if ( command == "PASS" )
-		        {
+			{
 			vector<string> p = SplitWords(params,' ');
 			if ( p.size() > 3 &&
 			     (p[3].find('Z')<=p[3].size() ||
@@ -268,7 +281,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				{
 				if ( parts[i][0] == '@' )
 					parts[i] = parts[i].substr(1);
-				set->Assign(new StringVal(parts[i].c_str()), 0);
+				Val* idx = new StringVal(parts[i].c_str());
+				set->Assign(idx, 0);
+				Unref(idx);
 				}
 			vl->append(set);
 
@@ -572,6 +587,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		case 670:
 			// StartTLS success reply to StartTLS
 			StartTLS();
+			break;
 
 		// All other server replies.
 		default:
@@ -601,7 +617,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		return;
 		}
 
-	else if ( irc_privmsg_message || (irc_dcc_message && command == "PRIVMSG") )
+	else if ( ( irc_privmsg_message || irc_dcc_message ) && command == "PRIVMSG")
 		{
 		unsigned int pos = params.find(' ');
 		if ( pos >= params.size() )
@@ -612,6 +628,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		string target = params.substr(0, pos);
 		string message = params.substr(pos + 1);
+		SkipLeadingWhitespace(message);
 
 		if ( message.size() > 0 && message[0] == ':' )
 			message = message.substr(1);
@@ -686,6 +703,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		string target = params.substr(0, pos);
 		string message = params.substr(pos + 1);
+		SkipLeadingWhitespace(message);
 		if ( message[0] == ':' )
 			message = message.substr(1);
 
@@ -710,6 +728,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		string target = params.substr(0, pos);
 		string message = params.substr(pos + 1);
+		SkipLeadingWhitespace(message);
 		if ( message[0] == ':' )
 			message = message.substr(1);
 
@@ -935,7 +954,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			{
 			channels = params.substr(0, pos);
 			if ( params.size() > pos + 1 )
+				{
 				message = params.substr(pos + 1);
+				SkipLeadingWhitespace(message);
+				}
 			if ( message[0] == ':' )
 				message = message.substr(1);
 			}
@@ -982,7 +1004,6 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
 		vl->append(new Val(orig, TYPE_BOOL));
-		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(nickname.c_str()));
 		vl->append(new StringVal(message.c_str()));
 
@@ -1007,7 +1028,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	else if ( irc_who_message && command == "WHO" )
 		{
 		vector<string> parts = SplitWords(params, ' ');
-		if ( parts.size() < 1 || parts.size() > 2 )
+		if ( parts.size() > 2 )
 			{
 			Weird("irc_invalid_who_message_format");
 			return;
@@ -1018,13 +1039,16 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			oper = true;
 
 		// Remove ":" from mask.
-		if ( parts[0].size() > 0 && parts[0][0] == ':' )
+		if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' )
 			parts[0] = parts[0].substr(1);
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
 		vl->append(new Val(orig, TYPE_BOOL));
-		vl->append(new StringVal(parts[0].c_str()));
+		if ( parts.size() > 0 )
+			vl->append(new StringVal(parts[0].c_str()));
+		else
+			vl->append(new StringVal(""));
 		vl->append(new Val(oper, TYPE_BOOL));
 
 		ConnectionEvent(irc_who_message, vl);
@@ -1129,6 +1153,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			{
 			server = params.substr(0, pos);
 			message = params.substr(pos + 1);
+			SkipLeadingWhitespace(message);
 			if ( message[0] == ':' )
 				message = message.substr(1);
 			}
diff --git a/src/analyzer/protocol/irc/IRC.h b/src/analyzer/protocol/irc/IRC.h
index 82a97a4d4d..497225846d 100644
--- a/src/analyzer/protocol/irc/IRC.h
+++ b/src/analyzer/protocol/irc/IRC.h
@@ -22,7 +22,7 @@ public:
 	/**
 	* \brief Called when connection is closed.
 	*/
-	virtual void Done();
+	void Done() override;
 
 	/**
 	* \brief New input line in network stream.
@@ -31,7 +31,7 @@ public:
 	* \param data pointer to line start
 	* \param orig was this data sent from connection originator?
 	*/
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{
@@ -47,6 +47,8 @@ protected:
 private:
 	void StartTLS();
 
+	inline void SkipLeadingWhitespace(string& str);
+
 	/** \brief counts number of invalid IRC messages */
 	int invalid_msg_count;
 
diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc
index d968be09cf..bcdfe03248 100644
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@@ -148,7 +148,7 @@ void MIME_Mail::Undelivered(int len)
 
 int strcasecmp_n(data_chunk_t s, const char* t)
 	{
-	return ::strcasecmp_n(s.length, s.data, t);
+	return strncasecmp(s.data, t, s.length);
 	}
 
 int MIME_count_leading_lws(int len, const char* data)
diff --git a/src/analyzer/protocol/mysql/mysql-analyzer.pac b/src/analyzer/protocol/mysql/mysql-analyzer.pac
index 2108401436..66710fb2bb 100644
--- a/src/analyzer/protocol/mysql/mysql-analyzer.pac
+++ b/src/analyzer/protocol/mysql/mysql-analyzer.pac
@@ -19,6 +19,9 @@ refine flow MySQL_Flow += {
 
 	function proc_mysql_handshake_response_packet(msg: Handshake_Response_Packet): bool
 		%{
+		if ( ${msg.version} == 9 || ${msg.version == 10} )
+			connection()->bro_analyzer()->ProtocolConfirmation();
+
 		if ( mysql_handshake )
 			{
 			if ( ${msg.version} == 10 )
diff --git a/src/analyzer/protocol/rfb/CMakeLists.txt b/src/analyzer/protocol/rfb/CMakeLists.txt
new file mode 100644
index 0000000000..28523bfe2d
--- /dev/null
+++ b/src/analyzer/protocol/rfb/CMakeLists.txt
@@ -0,0 +1,9 @@
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro RFB)
+	bro_plugin_cc(RFB.cc Plugin.cc)
+	bro_plugin_bif(events.bif)
+	bro_plugin_pac(rfb.pac rfb-analyzer.pac rfb-protocol.pac)
+bro_plugin_end()
\ No newline at end of file
diff --git a/src/analyzer/protocol/rfb/Plugin.cc b/src/analyzer/protocol/rfb/Plugin.cc
new file mode 100644
index 0000000000..b3bed0f093
--- /dev/null
+++ b/src/analyzer/protocol/rfb/Plugin.cc
@@ -0,0 +1,23 @@
+#include "plugin/Plugin.h"
+
+#include "RFB.h"
+
+namespace plugin {
+namespace Bro_RFB {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::analyzer::Component("RFB",
+		             ::analyzer::rfb::RFB_Analyzer::InstantiateAnalyzer));
+
+		plugin::Configuration config;
+		config.name = "Bro::RFB";
+		config.description = "Parser for rfb (VNC) analyzer";
+		return config;
+		}
+} plugin;
+
+}
+}
\ No newline at end of file
diff --git a/src/analyzer/protocol/rfb/RFB.cc b/src/analyzer/protocol/rfb/RFB.cc
new file mode 100644
index 0000000000..2669d6ed56
--- /dev/null
+++ b/src/analyzer/protocol/rfb/RFB.cc
@@ -0,0 +1,67 @@
+#include "RFB.h"
+
+#include "analyzer/protocol/tcp/TCP_Reassembler.h"
+
+#include "Reporter.h"
+
+#include "events.bif.h"
+
+using namespace analyzer::rfb;
+
+RFB_Analyzer::RFB_Analyzer(Connection* c)
+
+: tcp::TCP_ApplicationAnalyzer("RFB", c)
+
+	{
+	interp = new binpac::RFB::RFB_Conn(this);
+	had_gap = false;
+	}
+
+RFB_Analyzer::~RFB_Analyzer()
+	{
+	delete interp;
+	}
+
+void RFB_Analyzer::Done()
+	{
+	tcp::TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+
+	}
+
+void RFB_Analyzer::EndpointEOF(bool is_orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	interp->FlowEOF(is_orig);
+	}
+
+void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	assert(TCP());
+	if ( TCP()->IsPartial() )
+		return;
+
+	if ( had_gap )
+		// If only one side had a content gap, we could still try to
+		// deliver data to the other side if the script layer can handle this.
+		return;
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
+
+void RFB_Analyzer::Undelivered(uint64 seq, int len, bool orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	had_gap = true;
+	interp->NewGap(orig, len);
+	}
diff --git a/src/analyzer/protocol/rfb/RFB.h b/src/analyzer/protocol/rfb/RFB.h
new file mode 100644
index 0000000000..88a17eea5a
--- /dev/null
+++ b/src/analyzer/protocol/rfb/RFB.h
@@ -0,0 +1,43 @@
+#ifndef ANALYZER_PROTOCOL_RFB_RFB_H
+#define ANALYZER_PROTOCOL_RFB_RFB_H
+
+#include "events.bif.h"
+
+
+#include "analyzer/protocol/tcp/TCP.h"
+
+#include "rfb_pac.h"
+
+namespace analyzer { namespace rfb {
+
+class RFB_Analyzer
+
+: public tcp::TCP_ApplicationAnalyzer {
+
+public:
+	RFB_Analyzer(Connection* conn);
+	virtual ~RFB_Analyzer();
+
+	// Overriden from Analyzer.
+	virtual void Done();
+
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
+
+	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	virtual void EndpointEOF(bool is_orig);
+
+
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new RFB_Analyzer(conn); }
+
+protected:
+	binpac::RFB::RFB_Conn* interp;
+
+	bool had_gap;
+
+};
+
+} } // namespace analyzer::*
+
+#endif
diff --git a/src/analyzer/protocol/rfb/events.bif b/src/analyzer/protocol/rfb/events.bif
new file mode 100644
index 0000000000..4a5bb40121
--- /dev/null
+++ b/src/analyzer/protocol/rfb/events.bif
@@ -0,0 +1,50 @@
+## Generated for RFB event
+##
+## c: The connection record for the underlying transport-layer session/flow.
+event rfb_event%(c: connection%);
+
+## Generated for RFB event authentication mechanism selection
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## authtype: the value of the chosen authentication mechanism
+event rfb_authentication_type%(c: connection, authtype: count%);
+
+## Generated for RFB event authentication result message
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## result: whether or not authentication was succesful
+event rfb_auth_result%(c: connection, result: bool%);
+
+## Generated for RFB event share flag messages
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## flag: whether or not the share flag was set
+event rfb_share_flag%(c: connection, flag: bool%);
+
+## Generated for RFB event client banner message
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## version: of the client's rfb library
+event rfb_client_version%(c: connection, major_version: string, minor_version: string%);
+
+## Generated for RFB event server banner message
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## version: of the server's rfb library
+event rfb_server_version%(c: connection, major_version: string, minor_version: string%);
+
+## Generated for RFB event server parameter message
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## name: name of the shared screen
+##
+## width: width of the shared screen
+##
+## height: height of the shared screen
+event rfb_server_parameters%(c: connection, name: string, width: count, height: count%);
\ No newline at end of file
diff --git a/src/analyzer/protocol/rfb/rfb-analyzer.pac b/src/analyzer/protocol/rfb/rfb-analyzer.pac
new file mode 100644
index 0000000000..39a792ba89
--- /dev/null
+++ b/src/analyzer/protocol/rfb/rfb-analyzer.pac
@@ -0,0 +1,203 @@
+refine flow RFB_Flow += {
+	function proc_rfb_message(msg: RFB_PDU): bool
+		%{
+		BifEvent::generate_rfb_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn());
+		return true;
+		%}
+
+	function proc_rfb_version(client: bool, major: bytestring, minor: bytestring) : bool
+		%{
+		if (client)
+			{
+			BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
+
+			connection()->bro_analyzer()->ProtocolConfirmation();
+			}
+			else
+			{
+			BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
+			}
+		return true;
+		%}
+
+	function proc_rfb_share_flag(shared: bool) : bool
+		%{
+		BifEvent::generate_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared);
+		return true;
+		%}
+
+	function proc_security_types(msg: RFBSecurityTypes) : bool
+		%{
+		BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype});
+		return true;
+		%}
+
+	function proc_security_types37(msg: RFBAuthTypeSelected) : bool
+		%{
+		BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type});
+		return true;
+		%}
+
+	function proc_handle_server_params(msg:RFBServerInit) : bool
+		%{
+		BifEvent::generate_rfb_server_parameters(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.name}), ${msg.width}, ${msg.height});
+		return true;
+		%}
+
+	function proc_handle_security_result(result : uint32) : bool
+		%{
+		BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
+		return true;
+		%}
+};
+
+refine connection RFB_Conn += {
+	%member{
+		enum states {
+			AWAITING_SERVER_BANNER = 0,
+			AWAITING_CLIENT_BANNER = 1,
+			AWAITING_SERVER_AUTH_TYPES = 2,
+			AWAITING_SERVER_CHALLENGE = 3,
+			AWAITING_CLIENT_RESPONSE = 4,
+			AWAITING_SERVER_AUTH_RESULT = 5,
+			AWAITING_CLIENT_SHARE_FLAG = 6,
+			AWAITING_SERVER_PARAMS = 7,
+			AWAITING_CLIENT_AUTH_METHOD = 8,
+			AWAITING_SERVER_ARD_CHALLENGE = 9,
+			AWAITING_CLIENT_ARD_RESPONSE = 10,
+			AWAITING_SERVER_AUTH_TYPES37 = 11,
+			AWAITING_CLIENT_AUTH_TYPE_SELECTED37 = 12,
+			RFB_MESSAGE = 13
+		};
+	%}
+
+	function get_state(client: bool) : int
+		%{
+		return state;
+		%}
+
+	function handle_banners(client: bool, msg: RFBProtocolVersion) : bool
+		%{
+		if ( client )
+			{
+			// Set protocol version on client's version
+			int minor_version = bytestring_to_int(${msg.minor_ver},10);
+			version = minor_version;
+
+			// Apple specifies minor version "889" but talks v37
+			if ( minor_version >= 7 )
+				state = AWAITING_SERVER_AUTH_TYPES37;
+			else
+				state = AWAITING_SERVER_AUTH_TYPES;
+			}
+			else
+				state = AWAITING_CLIENT_BANNER;
+
+		return true;
+		%}
+
+	function handle_ard_challenge() : bool
+		%{
+		state = AWAITING_CLIENT_ARD_RESPONSE;
+		return true;
+		%}
+
+	function handle_ard_response() : bool
+		%{
+		state = AWAITING_SERVER_AUTH_RESULT;
+		return true;
+		%}
+
+	function handle_auth_request() : bool
+		%{
+		state = AWAITING_CLIENT_RESPONSE;
+		return true;
+		%}
+
+	function handle_auth_response() : bool
+		%{
+		state = AWAITING_SERVER_AUTH_RESULT;
+		return true;
+		%}
+
+	function handle_security_result(msg: RFBSecurityResult) : bool
+		%{
+		if ( ${msg.result} == 0 )
+			{
+			state = AWAITING_CLIENT_SHARE_FLAG;
+			}
+		return true;
+		%}
+
+	function handle_client_init(msg: RFBClientInit) : bool
+		%{
+		state = AWAITING_SERVER_PARAMS;
+		return true;
+		%}
+
+	function handle_server_init(msg: RFBServerInit) : bool
+		%{
+		state = RFB_MESSAGE;
+		return true;
+		%}
+
+	function handle_security_types(msg: RFBSecurityTypes): bool
+		%{
+		if ( msg->sectype() == 0 )
+			{ // No auth
+			state = AWAITING_CLIENT_SHARE_FLAG;
+			return true;
+			}
+
+		if ( msg->sectype() == 2 )
+			{ // VNC
+			if ( ${msg.possible_challenge}.length() == 16 )
+				// Challenge was already sent with this message
+				state = AWAITING_CLIENT_RESPONSE;
+			else
+				state = AWAITING_SERVER_CHALLENGE;
+			}
+		return true;
+		%}
+
+	function handle_security_types37(msg: RFBSecurityTypes37): bool
+		%{
+		if ( ${msg.count} == 0 )
+			{ // No auth
+			state = AWAITING_CLIENT_SHARE_FLAG;
+			return true;
+			}
+		state = AWAITING_CLIENT_AUTH_TYPE_SELECTED37;
+		return true;
+		%}
+
+	function handle_auth_type_selected(msg: RFBAuthTypeSelected): bool
+		%{
+		if ( ${msg.type} == 30 )
+			{ // Apple Remote Desktop
+				state = AWAITING_SERVER_ARD_CHALLENGE;
+				return true;
+			}
+
+		if ( ${msg.type} == 1 )
+			{
+				if ( version > 7 )
+					state = AWAITING_SERVER_AUTH_RESULT;
+				else
+					state = AWAITING_CLIENT_SHARE_FLAG;
+			}
+		else
+			state = AWAITING_SERVER_CHALLENGE;
+
+		return true;
+		%}
+
+	%member{
+		uint8 state = AWAITING_SERVER_BANNER;
+		int version = 0;
+	%}
+};
+
+refine typeattr RFB_PDU += &let {
+	proc: bool = $context.flow.proc_rfb_message(this);
+};
diff --git a/src/analyzer/protocol/rfb/rfb-protocol.pac b/src/analyzer/protocol/rfb/rfb-protocol.pac
new file mode 100644
index 0000000000..bfddbeea0e
--- /dev/null
+++ b/src/analyzer/protocol/rfb/rfb-protocol.pac
@@ -0,0 +1,140 @@
+enum states {
+			AWAITING_SERVER_BANNER = 0,
+			AWAITING_CLIENT_BANNER = 1,
+			AWAITING_SERVER_AUTH_TYPES = 2,
+			AWAITING_SERVER_CHALLENGE = 3,
+			AWAITING_CLIENT_RESPONSE = 4,
+			AWAITING_SERVER_AUTH_RESULT = 5,
+			AWAITING_CLIENT_SHARE_FLAG = 6,
+			AWAITING_SERVER_PARAMS = 7,
+			AWAITING_CLIENT_AUTH_METHOD = 8,
+			AWAITING_SERVER_ARD_CHALLENGE = 9,
+			AWAITING_CLIENT_ARD_RESPONSE = 10,
+			AWAITING_SERVER_AUTH_TYPES37 = 11,
+			AWAITING_CLIENT_AUTH_TYPE_SELECTED37 = 12,
+			RFB_MESSAGE = 13
+		};
+
+type RFBProtocolVersion (client: bool) = record {
+	header: "RFB ";
+	major_ver: bytestring &length=3;
+	dot: ".";
+	minor_ver: bytestring &length=3;
+	pad: uint8;
+} &let {
+	proc: bool = $context.connection.handle_banners(client, this);
+	proc2: bool = $context.flow.proc_rfb_version(client, major_ver, minor_ver);
+}
+
+type RFBSecurityTypes = record {
+	sectype: uint32;
+	possible_challenge: bytestring &restofdata;
+} &let {
+	proc: bool = $context.connection.handle_security_types(this);
+	proc2: bool = $context.flow.proc_security_types(this);
+};
+
+type RFBSecurityTypes37 = record {
+	count: uint8;
+	types: uint8[count];
+} &let {
+	proc: bool = $context.connection.handle_security_types37(this);
+};
+
+type RFBAuthTypeSelected = record {
+	type: uint8;
+} &let {
+	proc: bool = $context.connection.handle_auth_type_selected(this);
+	proc2: bool = $context.flow.proc_security_types37(this);
+};
+
+type RFBSecurityResult = record {
+	result: uint32;
+} &let {
+	proc: bool = $context.connection.handle_security_result(this);
+	proc2: bool = $context.flow.proc_handle_security_result(result);
+};
+
+type RFBSecurityResultReason = record {
+	len: uint32;
+	reason: bytestring &length=len;
+};
+
+type RFBVNCAuthenticationRequest = record {
+	challenge: bytestring &length=16;
+} &let {
+	proc: bool = $context.connection.handle_auth_request();
+};
+
+type RFBVNCAuthenticationResponse = record {
+	response: bytestring &length= 16;
+} &let {
+	proc: bool = $context.connection.handle_auth_response();
+};
+
+type RFBSecurityARDChallenge = record {
+	challenge: bytestring &restofdata;
+} &let {
+	proc: bool = $context.connection.handle_ard_challenge();
+}
+
+type RFBSecurityARDResponse = record {
+	response: bytestring &restofdata;
+} &let {
+	proc: bool = $context.connection.handle_ard_response();
+}
+
+type RFBClientInit = record {
+	shared_flag: uint8;
+} &let {
+	proc: bool = $context.connection.handle_client_init(this);
+	proc2: bool = $context.flow.proc_rfb_share_flag(shared_flag);
+}
+
+type RFBServerInit = record {
+	width: uint16;
+	height: uint16;
+	pixel_format: bytestring &length= 16;
+	len : uint32;
+	name: bytestring &length = len;
+} &let {
+	proc: bool = $context.connection.handle_server_init(this);
+	proc2: bool = $context.flow.proc_handle_server_params(this);
+};
+
+type RFB_PDU_request = record {
+	request: case state of {
+		AWAITING_CLIENT_BANNER -> version: RFBProtocolVersion(true);
+		AWAITING_CLIENT_RESPONSE -> response: RFBVNCAuthenticationResponse;
+		AWAITING_CLIENT_SHARE_FLAG -> shareflag: RFBClientInit;
+		AWAITING_CLIENT_AUTH_TYPE_SELECTED37 -> authtype: RFBAuthTypeSelected;
+		AWAITING_CLIENT_ARD_RESPONSE -> ard_response: RFBSecurityARDResponse;
+		RFB_MESSAGE -> ignore: bytestring &restofdata &transient;
+		default -> data: bytestring &restofdata &transient;
+	} &requires(state);
+	} &let {
+		state: uint8 = $context.connection.get_state(true);
+};
+
+type RFB_PDU_response = record {
+	request: case rstate of {
+		AWAITING_SERVER_BANNER -> version: RFBProtocolVersion(false);
+		AWAITING_SERVER_AUTH_TYPES -> auth_types: RFBSecurityTypes;
+		AWAITING_SERVER_AUTH_TYPES37 -> auth_types37: RFBSecurityTypes37;
+		AWAITING_SERVER_CHALLENGE -> challenge: RFBVNCAuthenticationRequest;
+		AWAITING_SERVER_AUTH_RESULT -> authresult : RFBSecurityResult;
+		AWAITING_SERVER_ARD_CHALLENGE -> ard_challenge: RFBSecurityARDChallenge;
+		AWAITING_SERVER_PARAMS -> serverinit: RFBServerInit;
+		RFB_MESSAGE -> ignore: bytestring &restofdata &transient;
+		default -> data: bytestring &restofdata &transient;
+	} &requires(rstate);
+	} &let {
+		rstate: uint8 = $context.connection.get_state(false);
+};
+
+type RFB_PDU(is_orig: bool) = record {
+	payload: case is_orig of {
+		true -> request: RFB_PDU_request;
+		false -> response: RFB_PDU_response;
+	};
+} &byteorder = bigendian;
diff --git a/src/analyzer/protocol/rfb/rfb.pac b/src/analyzer/protocol/rfb/rfb.pac
new file mode 100644
index 0000000000..2e88f8e5bb
--- /dev/null
+++ b/src/analyzer/protocol/rfb/rfb.pac
@@ -0,0 +1,30 @@
+# Analyzer for Parser for rfb (VNC)
+#  - rfb-protocol.pac: describes the rfb protocol messages
+#  - rfb-analyzer.pac: describes the rfb analyzer code
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+	#include "events.bif.h"
+%}
+
+analyzer RFB withcontext {
+	connection: RFB_Conn;
+	flow:       RFB_Flow;
+};
+
+# Our connection consists of two flows, one in each direction.
+connection RFB_Conn(bro_analyzer: BroAnalyzer) {
+	upflow   = RFB_Flow(true);
+	downflow = RFB_Flow(false);
+};
+
+%include rfb-protocol.pac
+
+# Now we define the flow:
+flow RFB_Flow(is_orig: bool) {
+	datagram = RFB_PDU(is_orig) withcontext(connection, this);
+};
+
+%include rfb-analyzer.pac
\ No newline at end of file
diff --git a/src/analyzer/protocol/sip/sip-analyzer.pac b/src/analyzer/protocol/sip/sip-analyzer.pac
index 36a1dae7e2..829904aa3a 100644
--- a/src/analyzer/protocol/sip/sip-analyzer.pac
+++ b/src/analyzer/protocol/sip/sip-analyzer.pac
@@ -18,7 +18,6 @@ refine flow SIP_Flow += {
 
 	function proc_sip_request(method: bytestring, uri: bytestring, vers: SIP_Version): bool
 		%{
-		connection()->bro_analyzer()->ProtocolConfirmation();
 		if ( sip_request )
 			{
 			BifEvent::generate_sip_request(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
diff --git a/src/analyzer/protocol/smb/SMB.cc b/src/analyzer/protocol/smb/SMB.cc
index 9d388a0886..f72dbf4e19 100644
--- a/src/analyzer/protocol/smb/SMB.cc
+++ b/src/analyzer/protocol/smb/SMB.cc
@@ -336,7 +336,9 @@ int SMB_Session::ParseNegotiate(binpac::SMB::SMB_header const& hdr,
 			{
 			binpac::SMB::SMB_dialect* d = (*msg.dialects())[i];
 			BroString* tmp = ExtractString(d->dialectname());
-			t->Assign(new Val(i, TYPE_COUNT), new StringVal(tmp));
+			Val* idx = new Val(i, TYPE_COUNT);
+			t->Assign(idx, new StringVal(tmp));
+			Unref(idx);
 			}
 
 		val_list* vl = new val_list;
diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc
index 6a19848d86..8296f83cb3 100644
--- a/src/analyzer/protocol/smtp/SMTP.cc
+++ b/src/analyzer/protocol/smtp/SMTP.cc
@@ -756,6 +756,7 @@ void SMTP_Analyzer::UpdateState(const int cmd_code, const int reply_code, bool o
 		break;
 
 	case SMTP_CMD_STARTTLS:
+	case SMTP_CMD_X_ANONYMOUSTLS:
 		if ( st != SMTP_READY )
 			UnexpectedCommand(cmd_code, reply_code);
 
@@ -809,7 +810,7 @@ void SMTP_Analyzer::ProcessExtension(int ext_len, const char* ext)
 	if ( ! ext )
 		return;
 
-	if ( ! strcasecmp_n(ext_len, ext, "PIPELINING") )
+	if ( ! strncasecmp(ext, "PIPELINING", ext_len) )
 		pipelining = 1;
 	}
 
@@ -818,8 +819,12 @@ int SMTP_Analyzer::ParseCmd(int cmd_len, const char* cmd)
 	if ( ! cmd )
 		return -1;
 
+	// special case because we cannot define our usual macros with "-"
+	if ( strncmp(cmd, "X-ANONYMOUSTLS", cmd_len) == 0 )
+		return SMTP_CMD_X_ANONYMOUSTLS;
+
 	for ( int code = SMTP_CMD_EHLO; code < SMTP_CMD_LAST; ++code )
-		if ( ! strcasecmp_n(cmd_len, cmd, smtp_cmd_word[code - SMTP_CMD_EHLO]) )
+		if ( ! strncasecmp(cmd, smtp_cmd_word[code - SMTP_CMD_EHLO], cmd_len) )
 			return code;
 
 	return -1;
diff --git a/src/analyzer/protocol/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h
index e8010d9aef..b4396f28f7 100644
--- a/src/analyzer/protocol/smtp/SMTP.h
+++ b/src/analyzer/protocol/smtp/SMTP.h
@@ -30,7 +30,7 @@ typedef enum {
 	SMTP_IN_DATA,		// 6: after DATA
 	SMTP_AFTER_DATA,	// 7: after . and before reply
 	SMTP_IN_AUTH,		// 8: after AUTH and 334
-	SMTP_IN_TLS,		// 9: after STARTTLS and 220
+	SMTP_IN_TLS,		// 9: after STARTTLS/X-ANONYMOUSTLS and 220
 	SMTP_QUIT,		// 10: after QUIT
 	SMTP_AFTER_GAP,		// 11: after a gap is detected
 	SMTP_GAP_RECOVERY,	// 12: after the first reply after a gap
diff --git a/src/analyzer/protocol/smtp/SMTP_cmd.def b/src/analyzer/protocol/smtp/SMTP_cmd.def
index 545136048d..72ef292d17 100644
--- a/src/analyzer/protocol/smtp/SMTP_cmd.def
+++ b/src/analyzer/protocol/smtp/SMTP_cmd.def
@@ -11,6 +11,8 @@ SMTP_CMD_DEF(VRFY)
 SMTP_CMD_DEF(EXPN)
 SMTP_CMD_DEF(HELP)
 SMTP_CMD_DEF(NOOP)
+SMTP_CMD_DEF(STARTTLS)	// RFC 2487
+SMTP_CMD_DEF(X_ANONYMOUSTLS)
 
 // The following two commands never explicitly appear in user input.
 SMTP_CMD_DEF(CONN_ESTABLISHMENT)	// not an explicit SMTP command
@@ -20,15 +22,14 @@ SMTP_CMD_DEF(END_OF_DATA)	// not an explicit SMTP command
 // become deprecated (RFC 2821).
 // Client SHOULD NOT use SEND/SOML/SAML
 
-SMTP_CMD_DEF(SEND)		
+SMTP_CMD_DEF(SEND)
 SMTP_CMD_DEF(SOML)
 SMTP_CMD_DEF(SAML)
 
 // System SHOULD NOT support TURN in absence of authentication.
-SMTP_CMD_DEF(TURN)		
+SMTP_CMD_DEF(TURN)
 
 // SMTP extensions not supported yet.
-SMTP_CMD_DEF(STARTTLS)	// RFC 2487
 SMTP_CMD_DEF(BDAT)		// RFC 3030
 SMTP_CMD_DEF(ETRN)		// RFC 1985
 SMTP_CMD_DEF(AUTH)		// RFC 2554
diff --git a/src/analyzer/protocol/smtp/events.bif b/src/analyzer/protocol/smtp/events.bif
index cffe3ba202..898e98e0d1 100644
--- a/src/analyzer/protocol/smtp/events.bif
+++ b/src/analyzer/protocol/smtp/events.bif
@@ -99,8 +99,8 @@ event smtp_data%(c: connection, is_orig: bool, data: string%);
 ## .. bro:see:: smtp_data  smtp_request smtp_reply
 event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%);
 
-## Generated if a connection switched to using TLS using STARTTLS. After this
-## event no more SMTP events will be raised for the connection. See the SSL
+## Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS.
+## After this event no more SMTP events will be raised for the connection. See the SSL
 ## analyzer for related SSL events, which will now be generated.
 ##
 ## c: The connection.
diff --git a/src/analyzer/protocol/snmp/snmp-analyzer.pac b/src/analyzer/protocol/snmp/snmp-analyzer.pac
index 891531b292..44dce4dbf5 100644
--- a/src/analyzer/protocol/snmp/snmp-analyzer.pac
+++ b/src/analyzer/protocol/snmp/snmp-analyzer.pac
@@ -373,10 +373,12 @@ refine connection SNMP_Conn += {
 
 	function proc_header(rec: Header): bool
 		%{
+		if ( ! ${rec.is_orig} )
+			bro_analyzer()->ProtocolConfirmation();
+ 
 		if ( rec->unknown() )
 			return false;
 
-		bro_analyzer()->ProtocolConfirmation();
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/ssh/events.bif b/src/analyzer/protocol/ssh/events.bif
index 57b736ac85..2c8079d9b7 100644
--- a/src/analyzer/protocol/ssh/events.bif
+++ b/src/analyzer/protocol/ssh/events.bif
@@ -120,7 +120,7 @@ event ssh1_server_host_key%(c: connection, p: string, e: string%);
 ## This event is generated when an :abbr:`SSH (Secure Shell)`
 ## encrypted packet is seen. This event is not handled by default, but
 ## is provided for heuristic analysis scripts. Note that you have to set
-## :bro:id:`SSH::skip_processing_after_detection` to false to use this
+## :bro:id:`SSH::disable_analyzer_after_detection` to false to use this
 ## event. This carries a performance penalty.
 ##
 ## c: The connection over which the :abbr:`SSH (Secure Shell)`
diff --git a/src/analyzer/protocol/ssl/DTLS.cc b/src/analyzer/protocol/ssl/DTLS.cc
index c90e414031..5301e962d4 100644
--- a/src/analyzer/protocol/ssl/DTLS.cc
+++ b/src/analyzer/protocol/ssl/DTLS.cc
@@ -35,6 +35,11 @@ void DTLS_Analyzer::Done()
 void DTLS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	// In this case the packet is a STUN packet. Skip it without complaining.
+	if ( len > 20 && data[4] == 0x21 && data[5] == 0x12 && data[6] == 0xa4 && data[7] == 0x42 )
+		return;
+
 	interp->NewData(orig, data, data + len);
 	}
 
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index b24352d099..3b65e63ee7 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -75,7 +75,7 @@ type ClientHello(rec: HandshakeRecord) = record {
 	session_len : uint8;
 	session_id : uint8[session_len];
 	dtls_cookie: case client_version of {
-		DTLSv10 -> cookie: ClientHelloCookie(rec);
+		DTLSv10, DTLSv12 -> cookie: ClientHelloCookie(rec);
 		default -> nothing: bytestring &length=0;
 	};
 	csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0);
diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc
index 8b3876c7ce..56c01fa358 100644
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@@ -408,11 +408,6 @@ void TCP_Analyzer::EnableReassembly()
 	                                   TCP_Reassembler::Forward, orig),
 	               new TCP_Reassembler(this, this,
 	                                   TCP_Reassembler::Forward, resp));
-
-	reassembling = 1;
-
-	if ( new_connection_contents )
-		Event(new_connection_contents);
 	}
 
 void TCP_Analyzer::SetReassembler(TCP_Reassembler* rorig,
@@ -423,10 +418,10 @@ void TCP_Analyzer::SetReassembler(TCP_Reassembler* rorig,
 	resp->AddReassembler(rresp);
 	rresp->SetDstAnalyzer(this);
 
-	reassembling = 1;
-
-	if ( new_connection_contents )
+	if ( new_connection_contents && reassembling == 0 )
 		Event(new_connection_contents);
+
+	reassembling = 1;
 	}
 
 const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data, 
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index 5b88d2dafb..0095947071 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -5,9 +5,6 @@
 #include "analyzer/protocol/tcp/TCP.h"
 #include "TCP_Endpoint.h"
 
-// Only needed for gap_report events.
-#include "Event.h"
-
 #include "events.bif.h"
 
 using namespace analyzer::tcp;
@@ -18,17 +15,11 @@ const bool DEBUG_tcp_contents = false;
 const bool DEBUG_tcp_connection_close = false;
 const bool DEBUG_tcp_match_undelivered = false;
 
-static double last_gap_report = 0.0;
-static uint64 last_ack_events = 0;
-static uint64 last_ack_bytes = 0;
-static uint64 last_gap_events = 0;
-static uint64 last_gap_bytes = 0;
-
 TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer,
 				TCP_Analyzer* arg_tcp_analyzer,
 				TCP_Reassembler::Type arg_type,
 				TCP_Endpoint* arg_endp)
-	: Reassembler(1)
+	: Reassembler(1, REASSEM_TCP)
 	{
 	dst_analyzer = arg_dst_analyzer;
 	tcp_analyzer = arg_tcp_analyzer;
@@ -45,7 +36,7 @@ TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer,
 	if ( tcp_max_old_segments )
 		SetMaxOldBlocks(tcp_max_old_segments);
 
-	if ( tcp_contents )
+	if ( ::tcp_contents )
 		{
 		// Val dst_port_val(ntohs(Conn()->RespPort()), TYPE_PORT);
 		PortVal dst_port_val(ntohs(tcp_analyzer->Conn()->RespPort()),
@@ -387,7 +378,6 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 			{ // New stuff.
 			uint64 len = b->Size();
 			uint64 seq = last_reassem_seq;
-
 			last_reassem_seq += len;
 
 			if ( record_contents_file )
@@ -548,35 +538,6 @@ void TCP_Reassembler::AckReceived(uint64 seq)
 			tot_gap_bytes += num_missing;
 			tcp_analyzer->Event(ack_above_hole);
 			}
-
-		double dt = network_time - last_gap_report;
-
-		if ( gap_report && gap_report_freq > 0.0 &&
-		     dt >= gap_report_freq )
-			{
-			uint64 devents = tot_ack_events - last_ack_events;
-			uint64 dbytes = tot_ack_bytes - last_ack_bytes;
-			uint64 dgaps = tot_gap_events - last_gap_events;
-			uint64 dgap_bytes = tot_gap_bytes - last_gap_bytes;
-
-			RecordVal* r = new RecordVal(gap_info);
-			r->Assign(0, new Val(devents, TYPE_COUNT));
-			r->Assign(1, new Val(dbytes, TYPE_COUNT));
-			r->Assign(2, new Val(dgaps, TYPE_COUNT));
-			r->Assign(3, new Val(dgap_bytes, TYPE_COUNT));
-
-			val_list* vl = new val_list;
-			vl->append(new IntervalVal(dt, Seconds));
-			vl->append(r);
-
-			mgr.QueueEvent(gap_report, vl);
-
-			last_gap_report = network_time;
-			last_ack_events = tot_ack_events;
-			last_ack_bytes = tot_ack_bytes;
-			last_gap_events = tot_gap_events;
-			last_gap_bytes = tot_gap_bytes;
-			}
 		}
 
 	// Check EOF here because t_reassem->LastReassemSeq() may have
diff --git a/src/analyzer/protocol/tcp/functions.bif b/src/analyzer/protocol/tcp/functions.bif
index 9fca05329a..75353180c6 100644
--- a/src/analyzer/protocol/tcp/functions.bif
+++ b/src/analyzer/protocol/tcp/functions.bif
@@ -63,26 +63,6 @@ function get_resp_seq%(cid: conn_id%): count
 		}
 	%}
 
-## Returns statistics about TCP gaps.
-##
-## Returns: A record with TCP gap statistics.
-##
-## .. bro:see:: do_profiling
-##              net_stats
-##              resource_usage
-##              dump_rule_stats
-##              get_matcher_stats
-function get_gap_summary%(%): gap_info
-	%{
-	RecordVal* r = new RecordVal(gap_info);
-	r->Assign(0, new Val(tot_ack_events, TYPE_COUNT));
-	r->Assign(1, new Val(tot_ack_bytes, TYPE_COUNT));
-	r->Assign(2, new Val(tot_gap_events, TYPE_COUNT));
-	r->Assign(3, new Val(tot_gap_bytes, TYPE_COUNT));
-
-	return r;
-	%}
-
 ## Associates a file handle with a connection for writing TCP byte stream
 ## contents.
 ##
diff --git a/src/analyzer/protocol/xmpp/CMakeLists.txt b/src/analyzer/protocol/xmpp/CMakeLists.txt
new file mode 100644
index 0000000000..ec5bb84837
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/CMakeLists.txt
@@ -0,0 +1,12 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro XMPP)
+bro_plugin_cc(Plugin.cc)
+bro_plugin_cc(XMPP.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(xmpp.pac xmpp-analyzer.pac xmpp-protocol.pac)
+bro_plugin_end()
+
diff --git a/src/analyzer/protocol/xmpp/Plugin.cc b/src/analyzer/protocol/xmpp/Plugin.cc
new file mode 100644
index 0000000000..d3bfcc5b10
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/Plugin.cc
@@ -0,0 +1,23 @@
+// See the file  in the main distribution directory for copyright.
+#include "plugin/Plugin.h"
+
+#include "XMPP.h"
+
+namespace plugin {
+namespace Bro_XMPP {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::analyzer::Component("XMPP", ::analyzer::xmpp::XMPP_Analyzer::Instantiate));
+
+		plugin::Configuration config;
+		config.name = "Bro::XMPP";
+		config.description = "XMPP analyzer (StartTLS only)";
+		return config;
+		}
+} plugin;
+
+}
+}
diff --git a/src/analyzer/protocol/xmpp/XMPP.cc b/src/analyzer/protocol/xmpp/XMPP.cc
new file mode 100644
index 0000000000..72229aeaba
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/XMPP.cc
@@ -0,0 +1,85 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "XMPP.h"
+#include "analyzer/protocol/tcp/TCP_Reassembler.h"
+#include "analyzer/Manager.h"
+
+using namespace analyzer::xmpp;
+
+XMPP_Analyzer::XMPP_Analyzer(Connection* conn)
+	: tcp::TCP_ApplicationAnalyzer("XMPP", conn)
+	{
+	interp = unique_ptr<binpac::XMPP::XMPP_Conn>(new binpac::XMPP::XMPP_Conn(this));
+	had_gap = false;
+	tls_active = false;
+	}
+
+XMPP_Analyzer::~XMPP_Analyzer()
+	{
+	}
+
+void XMPP_Analyzer::Done()
+	{
+	tcp::TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	}
+
+void XMPP_Analyzer::EndpointEOF(bool is_orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	interp->FlowEOF(is_orig);
+	}
+
+void XMPP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	if ( tls_active )
+		{
+		// If TLS has been initiated, forward to child and abort further
+		// processing
+		ForwardStream(len, data, orig);
+		return;
+		}
+
+	assert(TCP());
+	if ( TCP()->IsPartial() )
+		return;
+
+	if ( had_gap )
+		// If only one side had a content gap, we could still try to
+		// deliver data to the other side if the script layer can
+		// handle this.
+		return;
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
+
+void XMPP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	had_gap = true;
+	interp->NewGap(orig, len);
+	}
+
+void XMPP_Analyzer::StartTLS()
+	{
+	// StartTLS was called. This means we saw a client starttls followed
+	// by a server proceed. From here on, everything should be a binary
+	// TLS datastream.
+
+	tls_active = true;
+
+	Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
+	if ( ssl )
+		AddChildAnalyzer(ssl);
+	}
diff --git a/src/analyzer/protocol/xmpp/XMPP.h b/src/analyzer/protocol/xmpp/XMPP.h
new file mode 100644
index 0000000000..202403748a
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/XMPP.h
@@ -0,0 +1,38 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ANALYZER_PROTOCOL_XMPP_XMPP_H
+#define ANALYZER_PROTOCOL_XMPP_XMPP_H
+
+#include "analyzer/protocol/tcp/TCP.h"
+
+#include "xmpp_pac.h"
+
+namespace analyzer { namespace xmpp {
+
+class XMPP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+public:
+	XMPP_Analyzer(Connection* conn);
+	virtual ~XMPP_Analyzer();
+
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+
+	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	void EndpointEOF(bool is_orig) override;
+
+	void StartTLS();
+
+	static analyzer::Analyzer* Instantiate(Connection* conn)
+		{ return new XMPP_Analyzer(conn); }
+
+protected:
+	std::unique_ptr<binpac::XMPP::XMPP_Conn> interp;
+	bool had_gap;
+
+	bool tls_active;
+};
+
+} } // namespace analyzer::*
+
+#endif /* ANALYZER_PROTOCOL_XMPP_XMPP_H */
diff --git a/src/analyzer/protocol/xmpp/events.bif b/src/analyzer/protocol/xmpp/events.bif
new file mode 100644
index 0000000000..ee36bd5333
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/events.bif
@@ -0,0 +1,5 @@
+## Generated when a XMPP connection goes encrypted after a successful
+## StartTLS exchange between the client and the server.
+##
+## c: The connection.
+event xmpp_starttls%(c: connection%);
diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
new file mode 100644
index 0000000000..3240b57bb3
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
@@ -0,0 +1,45 @@
+refine connection XMPP_Conn += {
+
+	%member{
+	bool client_starttls;
+	%}
+
+	%init{
+	client_starttls = false;
+	%}
+
+	function proc_xmpp_token(is_orig: bool, name: bytestring, rest: bytestring): bool
+		%{
+		string token = std_str(name);
+
+		if ( is_orig && token == "stream:stream" )
+			// Yup, looks like xmpp...
+			bro_analyzer()->ProtocolConfirmation();
+
+		if ( token == "success" || token == "message" || token == "db:result"
+		     || token == "db:verify" || token == "presence" )
+			// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
+			bro_analyzer()->SetSkip(true);
+
+		if ( is_orig && token == "starttls" )
+			client_starttls = true;
+
+		if ( !is_orig && token == "proceed" && client_starttls )
+			{
+			bro_analyzer()->StartTLS();
+			BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn());
+			}
+		else if ( !is_orig && token == "proceed" )
+			reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls");
+
+		//printf("Processed: %d %s %s \n", is_orig, c_str(name), c_str(rest));
+
+		return true;
+		%}
+
+};
+
+refine typeattr XMPP_TOKEN += &let {
+	proc: bool = $context.connection.proc_xmpp_token(is_orig, name, rest);
+};
+
diff --git a/src/analyzer/protocol/xmpp/xmpp-protocol.pac b/src/analyzer/protocol/xmpp/xmpp-protocol.pac
new file mode 100644
index 0000000000..9b21679c30
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/xmpp-protocol.pac
@@ -0,0 +1,18 @@
+type XML_START = RE/</;
+type XML_END = RE/>/;
+type XML_NAME = RE/\/?[?:[:alnum:]]+/;
+type XML_REST = RE/[^<>]*/;
+type SPACING = RE/[ \r\n]*/;
+type CONTENT = RE/[^<>]*/;
+
+type XMPP_PDU(is_orig: bool) = XMPP_TOKEN(is_orig)[] &until($input.length() == 0);
+
+type XMPP_TOKEN(is_orig: bool) = record {
+	: SPACING;
+	: XML_START;
+	name: XML_NAME;
+	rest: XML_REST;
+	: XML_END;
+	tagcontent: CONTENT;
+};
+
diff --git a/src/analyzer/protocol/xmpp/xmpp.pac b/src/analyzer/protocol/xmpp/xmpp.pac
new file mode 100644
index 0000000000..e6b5f4bba0
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/xmpp.pac
@@ -0,0 +1,38 @@
+# binpac file for the XMPP analyzer.
+# Note that we currently do not even try to parse the protocol
+# completely -- this is only supposed to be able to parse xmpp
+# till StartTLS does (or does not) kick in.
+
+%include binpac.pac
+%include bro.pac
+
+
+%extern{
+#include "events.bif.h"
+
+namespace analyzer { namespace xmpp { class XMPP_Analyzer; } }
+namespace binpac { namespace XMPP { class XMPP_Conn; } }
+typedef analyzer::xmpp::XMPP_Analyzer* XMPPAnalyzer;
+
+#include "XMPP.h"
+%}
+
+extern type XMPPAnalyzer;
+
+analyzer XMPP withcontext {
+	connection:	 XMPP_Conn;
+	flow:		 XMPP_Flow;
+};
+
+connection XMPP_Conn(bro_analyzer: XMPPAnalyzer) {
+	upflow = XMPP_Flow(true);
+	downflow = XMPP_Flow(false);
+};
+
+%include xmpp-protocol.pac
+
+flow XMPP_Flow(is_orig: bool) {
+	datagram = XMPP_PDU(is_orig) withcontext(connection, this);
+};
+
+%include xmpp-analyzer.pac
diff --git a/src/bif_type.def b/src/bif_type.def
index 5d9963ffc9..c30ffeb49b 100644
--- a/src/bif_type.def
+++ b/src/bif_type.def
@@ -8,7 +8,7 @@ DEFINE_BIF_TYPE(TYPE_CONNECTION, "connection", "connection", "Connection*", "%s-
 DEFINE_BIF_TYPE(TYPE_COUNT, 	"count", "count", "bro_uint_t", 	"%s->AsCount()", 	"new Val(%s, TYPE_COUNT)")
 DEFINE_BIF_TYPE(TYPE_DOUBLE, 	"double", "double", "double", 		"%s->AsDouble()", 	"new Val(%s, TYPE_DOUBLE)")
 DEFINE_BIF_TYPE(TYPE_FILE, 	"file", "file", "BroFile*", 		"%s->AsFile()", 	"new Val(%s)")
-DEFINE_BIF_TYPE(TYPE_INT, 	"int", "int", "bro_int_t", 		"%s->AsInt()", 		"new Val(%s, TYPE_BOOL)")
+DEFINE_BIF_TYPE(TYPE_INT, 	"int", "int", "bro_int_t", 		"%s->AsInt()", 		"new Val(%s, TYPE_INT)")
 DEFINE_BIF_TYPE(TYPE_INTERVAL, 	"interval", "interval", "double", 	"%s->AsInterval()", 	"new IntervalVal(%s, Seconds)")
 DEFINE_BIF_TYPE(TYPE_PACKET, 	"packet", "packet", "TCP_TracePacket*", "%s->AsRecordVal()->GetOrigin()", "%s->PacketVal()")
 DEFINE_BIF_TYPE(TYPE_PATTERN, 	"pattern", "pattern", "RE_Matcher*", 	"%s->AsPattern()",	"new PatternVal(%s)")
diff --git a/src/bro.bif b/src/bro.bif
index b0465b9609..445b08fca6 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -26,15 +26,8 @@
 
 using namespace std;
 
-RecordType* net_stats;
-RecordType* bro_resources;
-RecordType* matcher_stats;
 TableType* var_sizes;
 
-// This one is extern, since it's used beyond just built-ins,
-// and hence it's declared in NetVar.{h,cc}.
-extern RecordType* gap_info;
-
 static iosource::PktDumper* addl_pkt_dumper = 0;
 
 bro_int_t parse_int(const char*& fmt)
@@ -145,12 +138,17 @@ static void do_fmt(const char*& fmt, Val* v, ODesc* d)
 			}
 
 		time_t time = time_t(v->InternalDouble());
+		struct tm t;
+
 		int is_time_fmt = *fmt == 'T';
 
+		if ( ! localtime_r(&time, &t) )
+			s.AddSP("<problem getting time>");
+
 		if ( ! strftime(out_buf, sizeof(out_buf),
 				is_time_fmt ?
 					"%Y-%m-%d-%H:%M" : "%Y-%m-%d-%H:%M:%S",
-				localtime(&time)) )
+				&t) )
 			s.AddSP("<bad time>");
 
 		else
@@ -1031,6 +1029,72 @@ function clear_table%(v: any%): any
 	return 0;
 	%}
 
+## Gets all subnets that contain a given subnet from a set/table[subnet]
+##
+## search: the subnet to search for.
+##
+## t: the set[subnet] or table[subnet].
+##
+## Returns: All the keys of the set or table that cover the subnet searched for.
+function matching_subnets%(search: subnet, t: any%): subnet_vec
+	%{
+	if ( t->Type()->Tag() != TYPE_TABLE || ! t->Type()->AsTableType()->IsSubNetIndex() )
+		{
+		reporter->Error("matching_subnets needs to be called on a set[subnet]/table[subnet].");
+		return nullptr;
+		}
+
+	return t->AsTableVal()->LookupSubnets(search);
+	%}
+
+## For a set[subnet]/table[subnet], create a new table that contains all entries that
+## contain a given subnet.
+##
+## search: the subnet to search for.
+##
+## t: the set[subnet] or table[subnet].
+##
+## Returns: A new table that contains all the entries that cover the subnet searched for.
+function filter_subnet_table%(search: subnet, t: any%): any
+	%{
+	if ( t->Type()->Tag() != TYPE_TABLE || ! t->Type()->AsTableType()->IsSubNetIndex() )
+		{
+		reporter->Error("filter_subnet_table needs to be called on a set[subnet]/table[subnet].");
+		return nullptr;
+		}
+
+	return t->AsTableVal()->LookupSubnetValues(search);
+	%}
+
+## Checks if a specific subnet is a member of a set/table[subnet].
+## In difference to the ``in`` operator, this performs an exact match, not
+## a longest prefix match.
+##
+## search: the subnet to search for.
+##
+## t: the set[subnet] or table[subnet].
+##
+## Returns: True if the exact subnet is a member, false otherwise.
+function check_subnet%(search: subnet, t: any%): bool
+	%{
+	if ( t->Type()->Tag() != TYPE_TABLE || ! t->Type()->AsTableType()->IsSubNetIndex() )
+		{
+		reporter->Error("check_subnet needs to be called on a set[subnet]/table[subnet].");
+		return nullptr;
+		}
+
+	const PrefixTable* pt = t->AsTableVal()->Subnets();
+	if ( ! pt )
+		{
+		reporter->Error("check_subnet encountered nonexisting prefix table.");
+		return nullptr;
+		}
+
+	void* res = pt->Lookup(search, true);
+
+	return new Val (res != nullptr, TYPE_BOOL);
+	%}
+
 ## Checks whether two objects reference the same internal object. This function
 ## uses equality comparison of C++ raw pointer values to determine if the two
 ## objects are the same.
@@ -1414,8 +1478,6 @@ function cat_sep%(sep: string, def: string, ...%): string
 ##
 ##    - ``.``: Precision of floating point specifiers ``[efg]`` (< 128)
 ##
-##    - ``A``: Escape only NUL bytes (each one replaced with ``\0``) in a string
-##
 ##    - ``[DTdxsefg]``: Format specifier
 ##
 ##        - ``[DT]``: ISO timestamp with microsecond precision
@@ -1661,156 +1723,6 @@ function reading_traces%(%): bool
 	return new Val(reading_traces, TYPE_BOOL);
 	%}
 
-## Returns packet capture statistics. Statistics include the number of
-## packets *(i)* received by Bro, *(ii)* dropped, and *(iii)* seen on the
-## link (not always available).
-##
-## Returns: A record of packet statistics.
-##
-## .. bro:see:: do_profiling
-##              resource_usage
-##              get_matcher_stats
-##              dump_rule_stats
-##              get_gap_summary
-function net_stats%(%): NetStats
-	%{
-	unsigned int recv = 0;
-	unsigned int drop = 0;
-	unsigned int link = 0;
-	unsigned int bytes_recv = 0;
-
-	const iosource::Manager::PktSrcList& pkt_srcs(iosource_mgr->GetPktSrcs());
-
-	for ( iosource::Manager::PktSrcList::const_iterator i = pkt_srcs.begin();
-	      i != pkt_srcs.end(); i++ )
-		{
-		iosource::PktSrc* ps = *i;
-
-		struct iosource::PktSrc::Stats stat;
-		ps->Statistics(&stat);
-		recv += stat.received;
-		drop += stat.dropped;
-		link += stat.link;
-		bytes_recv += stat.bytes_received;
-		}
-
-	RecordVal* ns = new RecordVal(net_stats);
-	ns->Assign(0, new Val(recv, TYPE_COUNT));
-	ns->Assign(1, new Val(drop, TYPE_COUNT));
-	ns->Assign(2, new Val(link, TYPE_COUNT));
-	ns->Assign(3, new Val(bytes_recv, TYPE_COUNT));
-
-	return ns;
-	%}
-
-## Returns Bro process statistics. Statistics include real/user/sys CPU time,
-## memory usage, page faults, number of TCP/UDP/ICMP connections, timers,
-## and events queued/dispatched.
-##
-## Returns: A record with resource usage statistics.
-##
-## .. bro:see:: do_profiling
-##              net_stats
-##              get_matcher_stats
-##              dump_rule_stats
-##              get_gap_summary
-function resource_usage%(%): bro_resources
-	%{
-	struct rusage r;
-
-	if ( getrusage(RUSAGE_SELF, &r) < 0 )
-		reporter->InternalError("getrusage() failed in bro_resource_usage()");
-
-	double elapsed_time = current_time() - bro_start_time;
-
-	double user_time =
-		double(r.ru_utime.tv_sec) + double(r.ru_utime.tv_usec) / 1e6;
-	double system_time =
-		double(r.ru_stime.tv_sec) + double(r.ru_stime.tv_usec) / 1e6;
-
-	RecordVal* res = new RecordVal(bro_resources);
-	int n = 0;
-
-	res->Assign(n++, new StringVal(bro_version()));
-
-#ifdef DEBUG
-	res->Assign(n++, new Val(1, TYPE_COUNT));
-#else
-	res->Assign(n++, new Val(0, TYPE_COUNT));
-#endif
-
-	res->Assign(n++, new Val(bro_start_time, TYPE_TIME));
-
-	res->Assign(n++, new IntervalVal(elapsed_time, Seconds));
-	res->Assign(n++, new IntervalVal(user_time, Seconds));
-	res->Assign(n++, new IntervalVal(system_time, Seconds));
-
-	unsigned int total_mem;
-	get_memory_usage(&total_mem, 0);
-	res->Assign(n++, new Val(unsigned(total_mem), TYPE_COUNT));
-
-	res->Assign(n++, new Val(unsigned(r.ru_minflt), TYPE_COUNT));
-	res->Assign(n++, new Val(unsigned(r.ru_majflt), TYPE_COUNT));
-	res->Assign(n++, new Val(unsigned(r.ru_nswap), TYPE_COUNT));
-	res->Assign(n++, new Val(unsigned(r.ru_inblock), TYPE_COUNT));
-	res->Assign(n++, new Val(unsigned(r.ru_oublock), TYPE_COUNT));
-	res->Assign(n++, new Val(unsigned(r.ru_nivcsw), TYPE_COUNT));
-
-	SessionStats s;
-	if ( sessions )
-		sessions->GetStats(s);
-
-#define ADD_STAT(x) \
-	res->Assign(n++, new Val(unsigned(sessions ? x : 0), TYPE_COUNT));
-
-	ADD_STAT(s.num_TCP_conns);
-	ADD_STAT(s.num_UDP_conns);
-	ADD_STAT(s.num_ICMP_conns);
-	ADD_STAT(s.num_fragments);
-	ADD_STAT(s.num_packets);
-	ADD_STAT(s.num_timers);
-	ADD_STAT(s.num_events_queued);
-	ADD_STAT(s.num_events_dispatched);
-	ADD_STAT(s.max_TCP_conns);
-	ADD_STAT(s.max_UDP_conns);
-	ADD_STAT(s.max_ICMP_conns);
-	ADD_STAT(s.max_fragments);
-	ADD_STAT(s.max_timers);
-
-	return res;
-	%}
-
-## Returns statistics about the regular expression engine. Statistics include
-## the number of distinct matchers, DFA states, DFA state transitions, memory
-## usage of DFA states, cache hits/misses, and average number of NFA states
-## across all matchers.
-##
-## Returns: A record with matcher statistics.
-##
-## .. bro:see:: do_profiling
-##              net_stats
-##              resource_usage
-##              dump_rule_stats
-##              get_gap_summary
-function get_matcher_stats%(%): matcher_stats
-	%{
-	RuleMatcher::Stats s;
-	memset(&s, 0, sizeof(s));
-
-	if ( rule_matcher )
-		rule_matcher->GetStats(&s);
-
-	RecordVal* r = new RecordVal(matcher_stats);
-	r->Assign(0, new Val(s.matchers, TYPE_COUNT));
-	r->Assign(1, new Val(s.dfa_states, TYPE_COUNT));
-	r->Assign(2, new Val(s.computed, TYPE_COUNT));
-	r->Assign(3, new Val(s.mem, TYPE_COUNT));
-	r->Assign(4, new Val(s.hits, TYPE_COUNT));
-	r->Assign(5, new Val(s.misses, TYPE_COUNT));
-	r->Assign(6, new Val(s.avg_nfa_states, TYPE_COUNT));
-
-	return r;
-	%}
 
 ## Generates a table of the size of all global variables. The table index is
 ## the variable name and the value is the variable size in bytes.
@@ -1948,11 +1860,17 @@ function record_fields%(rec: any%): record_field_table
 ## timers, and script-level state. The script variable :bro:id:`profiling_file`
 ## holds the name of the file.
 ##
-## .. bro:see:: net_stats
-##              resource_usage
+## .. bro:see:: get_conn_stats
+##              get_dns_stats
+##              get_event_stats
+##              get_file_analysis_stats
+##              get_gap_stats
 ##              get_matcher_stats
-##              dump_rule_stats
-##              get_gap_summary
+##              get_net_stats
+##              get_proc_stats
+##              get_reassembler_stats
+##              get_thread_stats
+##              get_timer_stats
 function do_profiling%(%) : any
 	%{
 	if ( profiling_logger )
@@ -2014,13 +1932,7 @@ function is_local_interface%(ip: addr%) : bool
 ##
 ## Returns: True (unconditionally).
 ##
-## .. bro:see:: do_profiling
-##              resource_usage
-##              get_matcher_stats
-##              net_stats
-##              get_gap_summary
-##
-## .. todo:: The return value should be changed to any or check appropriately.
+## .. bro:see:: get_matcher_stats
 function dump_rule_stats%(f: file%): bool
 	%{
 	if ( rule_matcher )
@@ -2078,6 +1990,33 @@ function is_v6_addr%(a: addr%): bool
 		return new Val(0, TYPE_BOOL);
 	%}
 
+## Returns whether a subnet specification is IPv4 or not.
+##
+## s: the subnet to check.
+##
+## Returns: true if *a* is an IPv4 subnet, else false.
+function is_v4_subnet%(s: subnet%): bool
+	%{
+	if ( s->AsSubNet().Prefix().GetFamily() == IPv4 )
+		return new Val(1, TYPE_BOOL);
+	else
+		return new Val(0, TYPE_BOOL);
+	%}
+
+## Returns whether a subnet specification is IPv6 or not.
+##
+## s: the subnet to check.
+##
+## Returns: true if *a* is an IPv6 subnet, else false.
+function is_v6_subnet%(s: subnet%): bool
+	%{
+	if ( s->AsSubNet().Prefix().GetFamily() == IPv6 )
+		return new Val(1, TYPE_BOOL);
+	else
+		return new Val(0, TYPE_BOOL);
+	%}
+
+
 # ===========================================================================
 #
 #                                 Conversion
@@ -2368,6 +2307,44 @@ function to_subnet%(sn: string%): subnet
 	return ret;
 	%}
 
+## Converts a :bro:type:`addr` to a :bro:type:`subnet`.
+##
+## a: The address to convert.
+##
+## Returns: The *a* address as a :bro:type:`subnet`.
+##
+## .. bro:see:: to_subnet
+function addr_to_subnet%(a: addr%): subnet
+	%{
+	int width = (a->AsAddr().GetFamily() == IPv4 ? 32 : 128);
+	return new SubNetVal(a->AsAddr(), width);
+	%}
+
+## Converts a :bro:type:`subnet` to a :bro:type:`addr` by
+## extracting the prefix.
+##
+## s: The subnet to convert.
+##
+## Returns: The *s* subnet as a :bro:type:`addr`.
+##
+## .. bro:see:: to_subnet
+function subnet_to_addr%(sn: subnet%): addr
+	%{
+	return new AddrVal(sn->Prefix());
+	%}
+
+## Returns the width of a :bro:type:`subnet`.
+##
+## s: The subnet to convert.
+##
+## Returns: The width of the subnet.
+##
+## .. bro:see:: to_subnet
+function subnet_width%(sn: subnet%): count
+	%{
+	return new Val(sn->Width(), TYPE_COUNT);
+	%}
+
 ## Converts a :bro:type:`string` to a :bro:type:`double`.
 ##
 ## str: The :bro:type:`string` to convert.
@@ -3011,9 +2988,11 @@ function strftime%(fmt: string, d: time%) : string
 	%{
 	static char buffer[128];
 
-	time_t t = time_t(d);
+	time_t timeval = time_t(d);
+	struct tm t;
 
-	if ( strftime(buffer, 128, fmt->CheckString(), localtime(&t)) == 0 )
+	if ( ! localtime_r(&timeval, &t) ||
+	     ! strftime(buffer, 128, fmt->CheckString(), &t) )
 		return new StringVal("<strftime error>");
 
 	return new StringVal(buffer);
@@ -3031,9 +3010,10 @@ function strftime%(fmt: string, d: time%) : string
 function strptime%(fmt: string, d: string%) : time
 	%{
 	const time_t timeval = time_t();
-	struct tm t = *localtime(&timeval);
+	struct tm t;
 
-	if ( strptime(d->CheckString(), fmt->CheckString(), &t) == NULL )
+	if ( ! localtime_r(&timeval, &t) || 
+	     ! strptime(d->CheckString(), fmt->CheckString(), &t) )
 		{
 		reporter->Warning("strptime conversion failed: fmt:%s d:%s", fmt->CheckString(), d->CheckString());
 		return new Val(0.0, TYPE_TIME);
@@ -3327,6 +3307,26 @@ function get_current_packet%(%) : pcap_packet
 	return pkt;
 	%}
 
+## Function to get the raw headers of the currently processed packet.
+##
+## Returns: The :bro:type:`raw_pkt_hdr` record containing the Layer 2, 3 and
+##          4 headers of the currently processed packet.
+##
+## .. bro:see:: raw_pkt_hdr get_current_packet
+function get_current_packet_header%(%) : raw_pkt_hdr
+	%{
+	const Packet* p;
+
+	if ( current_pktsrc &&
+	     current_pktsrc->GetCurrentPacket(&p) )
+		{
+		return p->BuildPktHdrVal();
+		}
+
+	RecordVal* hdr = new RecordVal(raw_pkt_hdr_type);
+	return hdr;
+	%}
+
 ## Writes a given packet to a file.
 ##
 ## pkt: The PCAP packet.
@@ -3787,6 +3787,35 @@ function lookup_asn%(a: addr%) : count
 	return new Val(0, TYPE_COUNT);
 	%}
 
+## Calculates distance between two geographic locations using the haversine
+## formula.  Latitudes and longitudes must be given in degrees, where southern
+## hemispere latitudes are negative and western hemisphere longitudes are
+## negative.
+##
+## lat1: Latitude (in degrees) of location 1.
+##
+## long1: Longitude (in degrees) of location 1.
+##
+## lat2: Latitude (in degrees) of location 2.
+##
+## long2: Longitude (in degrees) of location 2.
+##
+## Returns: Distance in miles.
+##
+## .. bro:see:: haversine_distance_ip
+function haversine_distance%(lat1: double, long1: double, lat2: double, long2: double%): double
+	%{
+	const double PI = 3.14159;
+	const double RADIUS = 3958.8;  // Earth's radius in miles.
+
+	double s1 = sin((lat2 - lat1) * PI/360);
+	double s2 = sin((long2 - long1) * PI/360);
+	double a = s1 * s1 + cos(lat1 * PI/180) * cos(lat2 * PI/180) * s2 * s2;
+	double distance = 2 * RADIUS * asin(sqrt(a));
+
+	return new Val(distance, TYPE_DOUBLE);
+	%}
+
 ## Converts UNIX file permissions given by a mode to an ASCII string.
 ##
 ## mode: The permissions (an octal number like 0644 converted to decimal).
diff --git a/src/broker/CMakeLists.txt b/src/broker/CMakeLists.txt
index 7329bfd46e..988855cafb 100644
--- a/src/broker/CMakeLists.txt
+++ b/src/broker/CMakeLists.txt
@@ -10,8 +10,8 @@ if ( ROCKSDB_INCLUDE_DIR )
     include_directories(BEFORE ${ROCKSDB_INCLUDE_DIR})
 endif ()
 
-include_directories(BEFORE ${LIBCAF_INCLUDE_DIR_CORE})
-include_directories(BEFORE ${LIBCAF_INCLUDE_DIR_IO})
+include_directories(BEFORE ${CAF_INCLUDE_DIR_CORE})
+include_directories(BEFORE ${CAF_INCLUDE_DIR_IO})
 
 set(comm_SRCS
     Data.cc
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 8f66427bb5..bc4197a974 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -318,25 +318,27 @@ struct val_converter {
 
 		auto rt = type->AsRecordType();
 		auto rval = new RecordVal(rt);
+		auto idx = 0u;
 
 		for ( auto i = 0u; i < static_cast<size_t>(rt->NumFields()); ++i )
 			{
 			if ( require_log_attr && ! rt->FieldDecl(i)->FindAttr(ATTR_LOG) )
 				continue;
 
-			if ( i >= a.fields.size() )
+			if ( idx >= a.fields.size() )
 				{
 				Unref(rval);
 				return nullptr;
 				}
 
-			if ( ! a.fields[i] )
+			if ( ! a.fields[idx] )
 				{
 				rval->Assign(i, nullptr);
+				++idx;
 				continue;
 				}
 
-			auto item_val = bro_broker::data_to_val(move(*a.fields[i]),
+			auto item_val = bro_broker::data_to_val(move(*a.fields[idx]),
 			                                        rt->FieldType(i));
 
 			if ( ! item_val )
@@ -346,6 +348,7 @@ struct val_converter {
 				}
 
 			rval->Assign(i, item_val);
+			++idx;
 			}
 
 		return rval;
@@ -539,7 +542,7 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 		return {rval};
 		}
 	default:
-		reporter->Error("unsupported BrokerComm::Data type: %s",
+		reporter->Error("unsupported Broker::Data type: %s",
 		                type_name(v->Type()->Tag()));
 		break;
 	}
@@ -549,7 +552,7 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 
 RecordVal* bro_broker::make_data_val(Val* v)
 	{
-	auto rval = new RecordVal(BifType::Record::BrokerComm::Data);
+	auto rval = new RecordVal(BifType::Record::Broker::Data);
 	auto data = val_to_data(v);
 
 	if ( data )
@@ -560,7 +563,7 @@ RecordVal* bro_broker::make_data_val(Val* v)
 
 RecordVal* bro_broker::make_data_val(broker::data d)
 	{
-	auto rval = new RecordVal(BifType::Record::BrokerComm::Data);
+	auto rval = new RecordVal(BifType::Record::Broker::Data);
 	rval->Assign(0, new DataVal(move(d)));
 	return rval;
 	}
@@ -570,92 +573,92 @@ struct data_type_getter {
 
 	result_type operator()(bool a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::BOOL,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::BOOL,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(uint64_t a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::COUNT,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::COUNT,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(int64_t a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::INT,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::INT,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(double a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::DOUBLE,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::DOUBLE,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(const std::string& a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::STRING,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::STRING,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(const broker::address& a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::ADDR,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::ADDR,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(const broker::subnet& a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::SUBNET,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::SUBNET,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(const broker::port& a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::PORT,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::PORT,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(const broker::time_point& a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::TIME,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::TIME,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(const broker::time_duration& a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::INTERVAL,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::INTERVAL,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(const broker::enum_value& a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::ENUM,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::ENUM,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(const broker::set& a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::SET,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::SET,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(const broker::table& a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::TABLE,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::TABLE,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(const broker::vector& a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::VECTOR,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::VECTOR,
+		                   BifType::Enum::Broker::DataType);
 		}
 
 	result_type operator()(const broker::record& a)
 		{
-		return new EnumVal(BifEnum::BrokerComm::RECORD,
-		                   BifType::Enum::BrokerComm::DataType);
+		return new EnumVal(BifEnum::Broker::RECORD,
+		                   BifType::Enum::Broker::DataType);
 		}
 };
 
@@ -670,7 +673,7 @@ broker::data& bro_broker::opaque_field_to_data(RecordVal* v, Frame* f)
 
 	if ( ! d )
 		reporter->RuntimeError(f->GetCall()->GetLocationInfo(),
-		                       "BrokerComm::Data's opaque field is not set");
+		                       "Broker::Data's opaque field is not set");
 
 	return static_cast<DataVal*>(d)->data;
 	}
diff --git a/src/broker/Data.h b/src/broker/Data.h
index 84495056be..0045ad58ad 100644
--- a/src/broker/Data.h
+++ b/src/broker/Data.h
@@ -21,25 +21,25 @@ extern OpaqueType* opaque_of_record_iterator;
 TransportProto to_bro_port_proto(broker::port::protocol tp);
 
 /**
- * Create a BrokerComm::Data value from a Bro value.
+ * Create a Broker::Data value from a Bro value.
  * @param v the Bro value to convert to a Broker data value.
- * @return a BrokerComm::Data value, where the optional field is set if the conversion
+ * @return a Broker::Data value, where the optional field is set if the conversion
  * was possible, else it is unset.
  */
 RecordVal* make_data_val(Val* v);
 
 /**
- * Create a BrokerComm::Data value from a Broker data value.
+ * Create a Broker::Data value from a Broker data value.
  * @param d the Broker value to wrap in an opaque type.
- * @return a BrokerComm::Data value that wraps the Broker value.
+ * @return a Broker::Data value that wraps the Broker value.
  */
 RecordVal* make_data_val(broker::data d);
 
 /**
- * Get the type of Broker data that BrokerComm::Data wraps.
- * @param v a BrokerComm::Data value.
+ * Get the type of Broker data that Broker::Data wraps.
+ * @param v a Broker::Data value.
  * @param frame used to get location info upon error.
- * @return a BrokerComm::DataType value.
+ * @return a Broker::DataType value.
  */
 EnumVal* get_data_type(RecordVal* v, Frame* frame);
 
@@ -141,8 +141,8 @@ struct type_name_getter {
 };
 
 /**
- * Retrieve Broker data value associated with a BrokerComm::Data Bro value.
- * @param v a BrokerComm::Data value.
+ * Retrieve Broker data value associated with a Broker::Data Bro value.
+ * @param v a Broker::Data value.
  * @param f used to get location information on error.
  * @return a reference to the wrapped Broker data value.  A runtime interpreter
  * exception is thrown if the the optional opaque value of \a v is not set.
@@ -183,9 +183,9 @@ inline T& require_data_type(RecordVal* v, TypeTag tag, Frame* f)
 	}
 
 /**
- * Convert a BrokerComm::Data Bro value to a Bro value of a given type.
+ * Convert a Broker::Data Bro value to a Bro value of a given type.
  * @tparam a type that a Broker data variant may contain.
- * @param v a BrokerComm::Data value.
+ * @param v a Broker::Data value.
  * @param tag a Bro type to convert to.
  * @param f used to get location information on error.
  * A runtime interpret exception is thrown if trying to access a type which
@@ -243,7 +243,7 @@ public:
 
 	RecordIterator(RecordVal* v, TypeTag tag, Frame* f)
 	    : OpaqueVal(bro_broker::opaque_of_record_iterator),
-	      dat(require_data_type<broker::record>(v, TYPE_VECTOR, f)),
+	      dat(require_data_type<broker::record>(v, TYPE_RECORD, f)),
 	      it(dat.fields.begin())
 		{}
 
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 06ece6d6c1..334b7f84f5 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -77,20 +77,20 @@ bool bro_broker::Manager::Enable(Val* broker_endpoint_flags)
 	if ( endpoint != nullptr )
 		return true;
 
-	auto send_flags_type = internal_type("BrokerComm::SendFlags")->AsRecordType();
+	auto send_flags_type = internal_type("Broker::SendFlags")->AsRecordType();
 	send_flags_self_idx = require_field(send_flags_type, "self");
 	send_flags_peers_idx = require_field(send_flags_type, "peers");
 	send_flags_unsolicited_idx = require_field(send_flags_type, "unsolicited");
 
 	log_id_type = internal_type("Log::ID")->AsEnumType();
 
-	bro_broker::opaque_of_data_type = new OpaqueType("BrokerComm::Data");
-	bro_broker::opaque_of_set_iterator = new OpaqueType("BrokerComm::SetIterator");
-	bro_broker::opaque_of_table_iterator = new OpaqueType("BrokerComm::TableIterator");
-	bro_broker::opaque_of_vector_iterator = new OpaqueType("BrokerComm::VectorIterator");
-	bro_broker::opaque_of_record_iterator = new OpaqueType("BrokerComm::RecordIterator");
-	bro_broker::opaque_of_store_handle = new OpaqueType("BrokerStore::Handle");
-	vector_of_data_type = new VectorType(internal_type("BrokerComm::Data")->Ref());
+	bro_broker::opaque_of_data_type = new OpaqueType("Broker::Data");
+	bro_broker::opaque_of_set_iterator = new OpaqueType("Broker::SetIterator");
+	bro_broker::opaque_of_table_iterator = new OpaqueType("Broker::TableIterator");
+	bro_broker::opaque_of_vector_iterator = new OpaqueType("Broker::VectorIterator");
+	bro_broker::opaque_of_record_iterator = new OpaqueType("Broker::RecordIterator");
+	bro_broker::opaque_of_store_handle = new OpaqueType("Broker::Handle");
+	vector_of_data_type = new VectorType(internal_type("Broker::Data")->Ref());
 
 	auto res = broker::init();
 
@@ -110,7 +110,7 @@ bool bro_broker::Manager::Enable(Val* broker_endpoint_flags)
 		}
 
 	const char* name;
-	auto name_from_script = internal_val("BrokerComm::endpoint_name")->AsString();
+	auto name_from_script = internal_val("Broker::endpoint_name")->AsString();
 
 	if ( name_from_script->Len() )
 		name = name_from_script->CheckString();
@@ -290,7 +290,7 @@ bool bro_broker::Manager::AutoEvent(string topic, Val* event, Val* flags)
 
 	if ( event->Type()->Tag() != TYPE_FUNC )
 		{
-		reporter->Error("BrokerComm::auto_event must operate on an event");
+		reporter->Error("Broker::auto_event must operate on an event");
 		return false;
 		}
 
@@ -298,7 +298,7 @@ bool bro_broker::Manager::AutoEvent(string topic, Val* event, Val* flags)
 
 	if ( event_val->Flavor() != FUNC_FLAVOR_EVENT )
 		{
-		reporter->Error("BrokerComm::auto_event must operate on an event");
+		reporter->Error("Broker::auto_event must operate on an event");
 		return false;
 		}
 
@@ -306,7 +306,7 @@ bool bro_broker::Manager::AutoEvent(string topic, Val* event, Val* flags)
 
 	if ( ! handler )
 		{
-		reporter->Error("BrokerComm::auto_event failed to lookup event '%s'",
+		reporter->Error("Broker::auto_event failed to lookup event '%s'",
 		                event_val->Name());
 		return false;
 		}
@@ -322,7 +322,7 @@ bool bro_broker::Manager::AutoEventStop(const string& topic, Val* event)
 
 	if ( event->Type()->Tag() != TYPE_FUNC )
 		{
-		reporter->Error("BrokerComm::auto_event_stop must operate on an event");
+		reporter->Error("Broker::auto_event_stop must operate on an event");
 		return false;
 		}
 
@@ -330,7 +330,7 @@ bool bro_broker::Manager::AutoEventStop(const string& topic, Val* event)
 
 	if ( event_val->Flavor() != FUNC_FLAVOR_EVENT )
 		{
-		reporter->Error("BrokerComm::auto_event_stop must operate on an event");
+		reporter->Error("Broker::auto_event_stop must operate on an event");
 		return false;
 		}
 
@@ -338,7 +338,7 @@ bool bro_broker::Manager::AutoEventStop(const string& topic, Val* event)
 
 	if ( ! handler )
 		{
-		reporter->Error("BrokerComm::auto_event_stop failed to lookup event '%s'",
+		reporter->Error("Broker::auto_event_stop failed to lookup event '%s'",
 		                event_val->Name());
 		return false;
 		}
@@ -353,7 +353,7 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 	if ( ! Enabled() )
 		return nullptr;
 
-	auto rval = new RecordVal(BifType::Record::BrokerComm::EventArgs);
+	auto rval = new RecordVal(BifType::Record::Broker::EventArgs);
 	auto arg_vec = new VectorVal(vector_of_data_type);
 	rval->Assign(1, arg_vec);
 	Func* func = 0;
@@ -368,7 +368,7 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 
 			if ( arg_val->Type()->Tag() != TYPE_FUNC )
 				{
-				reporter->Error("1st param of BrokerComm::event_args must be event");
+				reporter->Error("1st param of Broker::event_args must be event");
 				return rval;
 				}
 
@@ -376,7 +376,7 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 
 			if ( func->Flavor() != FUNC_FLAVOR_EVENT )
 				{
-				reporter->Error("1st param of BrokerComm::event_args must be event");
+				reporter->Error("1st param of Broker::event_args must be event");
 				return rval;
 				}
 
@@ -384,7 +384,7 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 
 			if ( num_args != args->length() - 1 )
 				{
-				reporter->Error("bad # of BrokerComm::event_args: got %d, expect %d",
+				reporter->Error("bad # of Broker::event_args: got %d, expect %d",
 				                args->length(), num_args + 1);
 				return rval;
 				}
@@ -398,7 +398,7 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 		if ( ! same_type((*args)[i]->Type(), expected_type) )
 			{
 			rval->Assign(0, 0);
-			reporter->Error("BrokerComm::event_args param %d type mismatch", i);
+			reporter->Error("Broker::event_args param %d type mismatch", i);
 			return rval;
 			}
 
@@ -408,7 +408,7 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 			{
 			Unref(data_val);
 			rval->Assign(0, 0);
-			reporter->Error("BrokerComm::event_args unsupported event/params");
+			reporter->Error("Broker::event_args unsupported event/params");
 			return rval;
 			}
 
@@ -584,7 +584,7 @@ struct response_converter {
 		case broker::store::query::tag::lookup:
 			// A boolean result means the key doesn't exist (if it did, then
 			// the result would contain the broker::data value, not a bool).
-			return new RecordVal(BifType::Record::BrokerComm::Data);
+			return new RecordVal(BifType::Record::Broker::Data);
 		default:
 			return bro_broker::make_data_val(broker::data{d});
 		}
@@ -639,36 +639,36 @@ void bro_broker::Manager::Process()
 		{
 		switch ( u.status ) {
 		case broker::outgoing_connection_status::tag::established:
-			if ( BrokerComm::outgoing_connection_established )
+			if ( Broker::outgoing_connection_established )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.relation.remote_tuple().first));
 				vl->append(new PortVal(u.relation.remote_tuple().second,
 				                       TRANSPORT_TCP));
 				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(BrokerComm::outgoing_connection_established, vl);
+				mgr.QueueEvent(Broker::outgoing_connection_established, vl);
 				}
 			break;
 
 		case broker::outgoing_connection_status::tag::disconnected:
-			if ( BrokerComm::outgoing_connection_broken )
+			if ( Broker::outgoing_connection_broken )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.relation.remote_tuple().first));
 				vl->append(new PortVal(u.relation.remote_tuple().second,
 				                       TRANSPORT_TCP));
-				mgr.QueueEvent(BrokerComm::outgoing_connection_broken, vl);
+				mgr.QueueEvent(Broker::outgoing_connection_broken, vl);
 				}
 			break;
 
 		case broker::outgoing_connection_status::tag::incompatible:
-			if ( BrokerComm::outgoing_connection_incompatible )
+			if ( Broker::outgoing_connection_incompatible )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.relation.remote_tuple().first));
 				vl->append(new PortVal(u.relation.remote_tuple().second,
 				                       TRANSPORT_TCP));
-				mgr.QueueEvent(BrokerComm::outgoing_connection_incompatible, vl);
+				mgr.QueueEvent(Broker::outgoing_connection_incompatible, vl);
 				}
 			break;
 
@@ -684,20 +684,20 @@ void bro_broker::Manager::Process()
 		{
 		switch ( u.status ) {
 		case broker::incoming_connection_status::tag::established:
-			if ( BrokerComm::incoming_connection_established )
+			if ( Broker::incoming_connection_established )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(BrokerComm::incoming_connection_established, vl);
+				mgr.QueueEvent(Broker::incoming_connection_established, vl);
 				}
 			break;
 
 		case broker::incoming_connection_status::tag::disconnected:
-			if ( BrokerComm::incoming_connection_broken )
+			if ( Broker::incoming_connection_broken )
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(BrokerComm::incoming_connection_broken, vl);
+				mgr.QueueEvent(Broker::incoming_connection_broken, vl);
 				}
 			break;
 
@@ -718,7 +718,7 @@ void bro_broker::Manager::Process()
 
 		ps.second.received += print_messages.size();
 
-		if ( ! BrokerComm::print_handler )
+		if ( ! Broker::print_handler )
 			continue;
 
 		for ( auto& pm : print_messages )
@@ -741,7 +741,7 @@ void bro_broker::Manager::Process()
 
 			val_list* vl = new val_list;
 			vl->append(new StringVal(move(*msg)));
-			mgr.QueueEvent(BrokerComm::print_handler, vl);
+			mgr.QueueEvent(Broker::print_handler, vl);
 			}
 		}
 
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index 9e1ac7a70b..9fb7b9e328 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -63,7 +63,7 @@ public:
 	/**
 	 * Enable use of communication.
 	 * @param flags used to tune the local Broker endpoint's behavior.
-	 * See the BrokerComm::EndpointFlags record type.
+	 * See the Broker::EndpointFlags record type.
 	 * @return true if communication is successfully initialized.
 	 */
 	bool Enable(Val* flags);
@@ -122,7 +122,7 @@ public:
 	 * of this topic name.
 	 * @param msg the string to send to peers.
 	 * @param flags tune the behavior of how the message is send.
-	 * See the BrokerComm::SendFlags record type.
+	 * See the Broker::SendFlags record type.
 	 * @return true if the message is sent successfully.
 	 */
 	bool Print(std::string topic, std::string msg, Val* flags);
@@ -135,7 +135,7 @@ public:
 	 * @param msg the event to send to peers, which is the name of the event
 	 * as a string followed by all of its arguments.
 	 * @param flags tune the behavior of how the message is send.
-	 * See the BrokerComm::SendFlags record type.
+	 * See the Broker::SendFlags record type.
 	 * @return true if the message is sent successfully.
 	 */
 	bool Event(std::string topic, broker::message msg, int flags);
@@ -146,9 +146,9 @@ public:
 	 * Peers advertise interest by registering a subscription to some prefix
 	 * of this topic name.
 	 * @param args the event and its arguments to send to peers.  See the
-	 * BrokerComm::EventArgs record type.
+	 * Broker::EventArgs record type.
 	 * @param flags tune the behavior of how the message is send.
-	 * See the BrokerComm::SendFlags record type.
+	 * See the Broker::SendFlags record type.
 	 * @return true if the message is sent successfully.
 	 */
 	bool Event(std::string topic, RecordVal* args, Val* flags);
@@ -160,7 +160,7 @@ public:
 	 * @param columns the data which comprises the log entry.
 	 * @param info the record type corresponding to the log's columns.
 	 * @param flags tune the behavior of how the message is send.
-	 * See the BrokerComm::SendFlags record type.
+	 * See the Broker::SendFlags record type.
 	 * @return true if the message is sent successfully.
 	 */
 	bool Log(EnumVal* stream_id, RecordVal* columns, RecordType* info,
@@ -174,7 +174,7 @@ public:
 	 * of this topic name.
 	 * @param event a Bro event value.
 	 * @param flags tune the behavior of how the message is send.
-	 * See the BrokerComm::SendFlags record type.
+	 * See the Broker::SendFlags record type.
 	 * @return true if automatic event sending is now enabled.
 	 */
 	bool AutoEvent(std::string topic, Val* event, Val* flags);
@@ -320,7 +320,7 @@ public:
 	Stats ConsumeStatistics();
 
 	/**
-	 * Convert BrokerComm::SendFlags to int flags for use with broker::send().
+	 * Convert Broker::SendFlags to int flags for use with broker::send().
 	 */
 	static int send_flags_to_int(Val* flags);
 
@@ -335,7 +335,7 @@ private:
 	void Process() override;
 
 	const char* Tag() override
-		{ return "BrokerComm::Manager"; }
+		{ return "Broker::Manager"; }
 
 	broker::endpoint& Endpoint()
 		{ return *endpoint; }
diff --git a/src/broker/Store.cc b/src/broker/Store.cc
index f9effa6d9e..97954bb328 100644
--- a/src/broker/Store.cc
+++ b/src/broker/Store.cc
@@ -14,12 +14,12 @@ OpaqueType* bro_broker::opaque_of_store_handle;
 
 bro_broker::StoreHandleVal::StoreHandleVal(broker::store::identifier id,
                                      bro_broker::StoreType arg_type,
-                                     broker::util::optional<BifEnum::BrokerStore::BackendType> arg_back,
+                                     broker::util::optional<BifEnum::Broker::BackendType> arg_back,
                                      RecordVal* backend_options, std::chrono::duration<double> resync)
 	: OpaqueVal(opaque_of_store_handle),
 	  store(), store_type(arg_type), backend_type(arg_back)
 	{
-	using BifEnum::BrokerStore::BackendType;
+	using BifEnum::Broker::BackendType;
 	std::unique_ptr<broker::store::backend> backend;
 
 	if ( backend_type )
@@ -91,7 +91,7 @@ bro_broker::StoreHandleVal::StoreHandleVal(broker::store::identifier id,
 
 void bro_broker::StoreHandleVal::ValDescribe(ODesc* d) const
 	{
-	using BifEnum::BrokerStore::BackendType;
+	using BifEnum::Broker::BackendType;
 	d->Add("broker::store::");
 
 	switch ( store_type ) {
diff --git a/src/broker/Store.h b/src/broker/Store.h
index 5823e0c3f8..4b673e70dc 100644
--- a/src/broker/Store.h
+++ b/src/broker/Store.h
@@ -25,9 +25,9 @@ enum StoreType {
 };
 
 /**
- * Create a BrokerStore::QueryStatus value.
+ * Create a Broker::QueryStatus value.
  * @param success whether the query status should be set to success or failure.
- * @return a BrokerStore::QueryStatus value.
+ * @return a Broker::QueryStatus value.
  */
 inline EnumVal* query_status(bool success)
 	{
@@ -37,34 +37,34 @@ inline EnumVal* query_status(bool success)
 
 	if ( ! store_query_status )
 		{
-		store_query_status = internal_type("BrokerStore::QueryStatus")->AsEnumType();
-		success_val = store_query_status->Lookup("BrokerStore", "SUCCESS");
-		failure_val = store_query_status->Lookup("BrokerStore", "FAILURE");
+		store_query_status = internal_type("Broker::QueryStatus")->AsEnumType();
+		success_val = store_query_status->Lookup("Broker", "SUCCESS");
+		failure_val = store_query_status->Lookup("Broker", "FAILURE");
 		}
 
 	return new EnumVal(success ? success_val : failure_val, store_query_status);
 	}
 
 /**
- * @return a BrokerStore::QueryResult value that has a BrokerStore::QueryStatus indicating
+ * @return a Broker::QueryResult value that has a Broker::QueryStatus indicating
  * a failure.
  */
 inline RecordVal* query_result()
 	{
-	auto rval = new RecordVal(BifType::Record::BrokerStore::QueryResult);
+	auto rval = new RecordVal(BifType::Record::Broker::QueryResult);
 	rval->Assign(0, query_status(false));
-	rval->Assign(1, new RecordVal(BifType::Record::BrokerComm::Data));
+	rval->Assign(1, new RecordVal(BifType::Record::Broker::Data));
 	return rval;
 	}
 
 /**
  * @param data the result of the query.
- * @return a BrokerStore::QueryResult value that has a BrokerStore::QueryStatus indicating
+ * @return a Broker::QueryResult value that has a Broker::QueryStatus indicating
  * a success.
  */
 inline RecordVal* query_result(RecordVal* data)
 	{
-	auto rval = new RecordVal(BifType::Record::BrokerStore::QueryResult);
+	auto rval = new RecordVal(BifType::Record::Broker::QueryResult);
 	rval->Assign(0, query_status(true));
 	rval->Assign(1, data);
 	return rval;
@@ -130,7 +130,7 @@ public:
 
 	StoreHandleVal(broker::store::identifier id,
 		       bro_broker::StoreType arg_type,
-		       broker::util::optional<BifEnum::BrokerStore::BackendType> arg_back,
+		       broker::util::optional<BifEnum::Broker::BackendType> arg_back,
 		       RecordVal* backend_options,
 		       std::chrono::duration<double> resync = std::chrono::seconds(1));
 
@@ -140,7 +140,7 @@ public:
 
 	broker::store::frontend* store;
 	bro_broker::StoreType store_type;
-	broker::util::optional<BifEnum::BrokerStore::BackendType> backend_type;
+	broker::util::optional<BifEnum::Broker::BackendType> backend_type;
 
 protected:
 
diff --git a/src/broker/comm.bif b/src/broker/comm.bif
index f8dd546965..3bc8fa7dff 100644
--- a/src/broker/comm.bif
+++ b/src/broker/comm.bif
@@ -5,139 +5,102 @@
 #include "broker/Manager.h"
 %%}
 
-module BrokerComm;
+module Broker;
 
-type BrokerComm::EndpointFlags: record;
+type Broker::EndpointFlags: record;
 
-## Enable use of communication.
-##
-## flags: used to tune the local Broker endpoint behavior.
-##
-## Returns: true if communication is successfully initialized.
-function BrokerComm::enable%(flags: EndpointFlags &default = EndpointFlags()%): bool
+function Broker::__enable%(flags: EndpointFlags%): bool
 	%{
 	return new Val(broker_mgr->Enable(flags), TYPE_BOOL);
 	%}
 
-## Changes endpoint flags originally supplied to :bro:see:`BrokerComm::enable`.
-##
-## flags: the new endpoint behavior flags to use.
-##
-## Returns: true if flags were changed.
-function BrokerComm::set_endpoint_flags%(flags: EndpointFlags &default = EndpointFlags()%): bool
+function Broker::__set_endpoint_flags%(flags: EndpointFlags%): bool
 	%{
 	return new Val(broker_mgr->SetEndpointFlags(flags), TYPE_BOOL);
 	%}
 
-## Allow sending messages to peers if associated with the given topic.
-## This has no effect if auto publication behavior is enabled via the flags
-## supplied to :bro:see:`BrokerComm::enable` or :bro:see:`BrokerComm::set_endpoint_flags`.
-##
-## topic: a topic to allow messages to be published under.
-##
-## Returns: true if successful.
-function BrokerComm::publish_topic%(topic: string%): bool
+function Broker::__publish_topic%(topic: string%): bool
 	%{
 	return new Val(broker_mgr->PublishTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
-## Disallow sending messages to peers if associated with the given topic.
-## This has no effect if auto publication behavior is enabled via the flags
-## supplied to :bro:see:`BrokerComm::enable` or :bro:see:`BrokerComm::set_endpoint_flags`.
-##
-## topic: a topic to disallow messages to be published under.
-##
-## Returns: true if successful.
-function BrokerComm::unpublish_topic%(topic: string%): bool
+function Broker::__unpublish_topic%(topic: string%): bool
 	%{
 	return new Val(broker_mgr->UnpublishTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
 ## Allow advertising interest in the given topic to peers.
 ## This has no effect if auto advertise behavior is enabled via the flags
-## supplied to :bro:see:`BrokerComm::enable` or :bro:see:`BrokerComm::set_endpoint_flags`.
+## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
 ##
 ## topic: a topic to allow advertising interest/subscription to peers.
 ##
 ## Returns: true if successful.
-function BrokerComm::advertise_topic%(topic: string%): bool
+function Broker::advertise_topic%(topic: string%): bool
 	%{
 	return new Val(broker_mgr->AdvertiseTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
 ## Disallow advertising interest in the given topic to peers.
 ## This has no effect if auto advertise behavior is enabled via the flags
-## supplied to :bro:see:`BrokerComm::enable` or :bro:see:`BrokerComm::set_endpoint_flags`.
+## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
 ##
 ## topic: a topic to disallow advertising interest/subscription to peers.
 ##
 ## Returns: true if successful.
-function BrokerComm::unadvertise_topic%(topic: string%): bool
+function Broker::unadvertise_topic%(topic: string%): bool
 	%{
 	return new Val(broker_mgr->UnadvertiseTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
 ## Generated when a connection has been established due to a previous call
-## to :bro:see:`BrokerComm::connect`.
+## to :bro:see:`Broker::connect`.
 ##
 ## peer_address: the address used to connect to the peer.
 ##
 ## peer_port: the port used to connect to the peer.
 ##
 ## peer_name: the name by which the peer identified itself.
-event BrokerComm::outgoing_connection_established%(peer_address: string,
+event Broker::outgoing_connection_established%(peer_address: string,
                                              peer_port: port,
                                              peer_name: string%);
 
 ## Generated when a previously established connection becomes broken.
 ## Reconnection will automatically be attempted at a frequency given
-## by the original call to :bro:see:`BrokerComm::connect`.
+## by the original call to :bro:see:`Broker::connect`.
 ##
 ## peer_address: the address used to connect to the peer.
 ##
 ## peer_port: the port used to connect to the peer.
 ##
-## .. bro:see:: BrokerComm::outgoing_connection_established
-event BrokerComm::outgoing_connection_broken%(peer_address: string,
+## .. bro:see:: Broker::outgoing_connection_established
+event Broker::outgoing_connection_broken%(peer_address: string,
                                         peer_port: port%);
 
-## Generated when a connection via :bro:see:`BrokerComm::connect` has failed
+## Generated when a connection via :bro:see:`Broker::connect` has failed
 ## because the remote side is incompatible.
 ##
 ## peer_address: the address used to connect to the peer.
 ##
 ## peer_port: the port used to connect to the peer.
-event BrokerComm::outgoing_connection_incompatible%(peer_address: string,
+event Broker::outgoing_connection_incompatible%(peer_address: string,
                                               peer_port: port%);
 
 ## Generated when a peer has established a connection with this process
-## as a result of previously performing a :bro:see:`BrokerComm::listen`.
+## as a result of previously performing a :bro:see:`Broker::listen`.
 ##
 ## peer_name: the name by which the peer identified itself.
-event BrokerComm::incoming_connection_established%(peer_name: string%);
+event Broker::incoming_connection_established%(peer_name: string%);
 
 ## Generated when a peer that previously established a connection with this
 ## process becomes disconnected.
 ##
 ## peer_name: the name by which the peer identified itself.
 ##
-## .. bro:see:: BrokerComm::incoming_connection_established
-event BrokerComm::incoming_connection_broken%(peer_name: string%);
+## .. bro:see:: Broker::incoming_connection_established
+event Broker::incoming_connection_broken%(peer_name: string%);
 
-## Listen for remote connections.
-##
-## p: the TCP port to listen on.
-##
-## a: an address string on which to accept connections, e.g.
-##    "127.0.0.1".  An empty string refers to @p INADDR_ANY.
-##
-## reuse: equivalent to behavior of SO_REUSEADDR.
-##
-## Returns: true if the local endpoint is now listening for connections.
-##
-## .. bro:see:: BrokerComm::incoming_connection_established
-function BrokerComm::listen%(p: port, a: string &default = "",
-					   reuse: bool &default = T%): bool
+function Broker::__listen%(p: port, a: string, reuse: bool%): bool
 	%{
 	if ( ! p->IsTCP() )
 		{
@@ -150,22 +113,7 @@ function BrokerComm::listen%(p: port, a: string &default = "",
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Initiate a remote connection.
-##
-## a: an address to connect to, e.g. "localhost" or "127.0.0.1".
-##
-## p: the TCP port on which the remote side is listening.
-##
-## retry: an interval at which to retry establishing the
-##        connection with the remote peer if it cannot be made initially, or
-##        if it ever becomes disconnected.
-##
-## Returns: true if it's possible to try connecting with the peer and
-##          it's a new peer.  The actual connection may not be established
-##          until a later point in time.
-##
-## .. bro:see:: BrokerComm::outgoing_connection_established
-function BrokerComm::connect%(a: string, p: port, retry: interval%): bool
+function Broker::__connect%(a: string, p: port, retry: interval%): bool
 	%{
 	if ( ! p->IsTCP() )
 		{
@@ -178,15 +126,7 @@ function BrokerComm::connect%(a: string, p: port, retry: interval%): bool
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Remove a remote connection.
-##
-## a: the address used in previous successful call to :bro:see:`BrokerComm::connect`.
-##
-## p: the port used in previous successful call to :bro:see:`BrokerComm::connect`.
-##
-## Returns: true if the arguments match a previously successful call to
-##          :bro:see:`BrokerComm::connect`.
-function BrokerComm::disconnect%(a: string, p: port%): bool
+function Broker::__disconnect%(a: string, p: port%): bool
 	%{
 	if ( ! p->IsTCP() )
 		{
diff --git a/src/broker/data.bif b/src/broker/data.bif
index 9ea1ca1e86..d526d0a779 100644
--- a/src/broker/data.bif
+++ b/src/broker/data.bif
@@ -5,9 +5,9 @@
 #include "broker/Data.h"
 %%}
 
-module BrokerComm;
+module Broker;
 
-## Enumerates the possible types that :bro:see:`BrokerComm::Data` may be in
+## Enumerates the possible types that :bro:see:`Broker::Data` may be in
 ## terms of Bro data types.
 enum DataType %{
 	BOOL,
@@ -27,97 +27,48 @@ enum DataType %{
 	RECORD,
 %}
 
-type BrokerComm::Data: record;
+type Broker::Data: record;
 
-type BrokerComm::TableItem: record;
+type Broker::TableItem: record;
 
-## Convert any Bro value to communication data.
-##
-## d: any Bro value to attempt to convert (not all types are supported).
-##
-## Returns: the converted communication data.  The returned record's optional
-##          field will not be set if the conversion was not possible (this can
-##          happen if the Bro data type does not support being converted to
-##          communication data).
-function BrokerComm::data%(d: any%): BrokerComm::Data
+function Broker::__data%(d: any%): Broker::Data
 	%{
 	return bro_broker::make_data_val(d);
 	%}
 
-## Retrieve the type of data associated with communication data.
-##
-## d: the communication data.
-##
-## Returns: the data type associated with the communication data.
-function BrokerComm::data_type%(d: BrokerComm::Data%): BrokerComm::DataType
+function Broker::__data_type%(d: Broker::Data%): Broker::DataType
 	%{
 	return bro_broker::get_data_type(d->AsRecordVal(), frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`BrokerComm::BOOL` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function BrokerComm::refine_to_bool%(d: BrokerComm::Data%): bool
+function Broker::__refine_to_bool%(d: Broker::Data%): bool
 	%{
 	return bro_broker::refine<bool>(d->AsRecordVal(), TYPE_BOOL, frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`BrokerComm::INT` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function BrokerComm::refine_to_int%(d: BrokerComm::Data%): int
+function Broker::__refine_to_int%(d: Broker::Data%): int
 	%{
 	return bro_broker::refine<int64_t>(d->AsRecordVal(), TYPE_INT, frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`BrokerComm::COUNT` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function BrokerComm::refine_to_count%(d: BrokerComm::Data%): count
+function Broker::__refine_to_count%(d: Broker::Data%): count
 	%{
 	return bro_broker::refine<uint64_t>(d->AsRecordVal(), TYPE_COUNT, frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`BrokerComm::DOUBLE` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function BrokerComm::refine_to_double%(d: BrokerComm::Data%): double
+function Broker::__refine_to_double%(d: Broker::Data%): double
 	%{
 	return bro_broker::refine<double>(d->AsRecordVal(), TYPE_DOUBLE, frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`BrokerComm::STRING` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function BrokerComm::refine_to_string%(d: BrokerComm::Data%): string
+function Broker::__refine_to_string%(d: Broker::Data%): string
 	%{
 	return new StringVal(bro_broker::require_data_type<std::string>(d->AsRecordVal(),
 												              TYPE_STRING,
 															  frame));
 	%}
 
-## Convert communication data with a type of :bro:see:`BrokerComm::ADDR` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function BrokerComm::refine_to_addr%(d: BrokerComm::Data%): addr
+function Broker::__refine_to_addr%(d: Broker::Data%): addr
 	%{
 	auto& a = bro_broker::require_data_type<broker::address>(d->AsRecordVal(),
 													   TYPE_ADDR, frame);
@@ -125,13 +76,7 @@ function BrokerComm::refine_to_addr%(d: BrokerComm::Data%): addr
 	return new AddrVal(IPAddr(*bits));
 	%}
 
-## Convert communication data with a type of :bro:see:`BrokerComm::SUBNET` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function BrokerComm::refine_to_subnet%(d: BrokerComm::Data%): subnet
+function Broker::__refine_to_subnet%(d: Broker::Data%): subnet
 	%{
 	auto& a = bro_broker::require_data_type<broker::subnet>(d->AsRecordVal(),
 													  TYPE_SUBNET, frame);
@@ -139,71 +84,40 @@ function BrokerComm::refine_to_subnet%(d: BrokerComm::Data%): subnet
 	return new SubNetVal(IPPrefix(IPAddr(*bits), a.length()));
 	%}
 
-## Convert communication data with a type of :bro:see:`BrokerComm::PORT` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function BrokerComm::refine_to_port%(d: BrokerComm::Data%): port
+function Broker::__refine_to_port%(d: Broker::Data%): port
 	%{
 	auto& a = bro_broker::require_data_type<broker::port>(d->AsRecordVal(),
-													TYPE_SUBNET, frame);
+													TYPE_PORT, frame);
 	return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type()));
 	%}
 
-## Convert communication data with a type of :bro:see:`BrokerComm::TIME` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function BrokerComm::refine_to_time%(d: BrokerComm::Data%): time
+function Broker::__refine_to_time%(d: Broker::Data%): time
 	%{
 	auto v = bro_broker::require_data_type<broker::time_point>(d->AsRecordVal(),
 														TYPE_TIME, frame).value;
 	return new Val(v, TYPE_TIME);
 	%}
 
-## Convert communication data with a type of :bro:see:`BrokerComm::INTERVAL` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function BrokerComm::refine_to_interval%(d: BrokerComm::Data%): interval
+function Broker::__refine_to_interval%(d: Broker::Data%): interval
 	%{
 	auto v = bro_broker::require_data_type<broker::time_duration>(d->AsRecordVal(),
-														TYPE_TIME, frame).value;
+														TYPE_INTERVAL, frame).value;
 	return new Val(v, TYPE_INTERVAL);
 	%}
 
-## Convert communication data with a type of :bro:see:`BrokerComm::ENUM` to
-## the name of the enum value.  :bro:see:`lookup_ID` may be used to convert
-## the name to the actual enum value.
-##
-## d: the communication data to convert.
-##
-## Returns: the enum name retrieved from the communication data.
-function BrokerComm::refine_to_enum_name%(d: BrokerComm::Data%): string
+function Broker::__refine_to_enum_name%(d: Broker::Data%): string
 	%{
 	auto& v = bro_broker::require_data_type<broker::enum_value>(d->AsRecordVal(),
 														TYPE_ENUM, frame).name;
 	return new StringVal(v);
 	%}
 
-## Create communication data of type "set".
-function BrokerComm::set_create%(%): BrokerComm::Data
+function Broker::__set_create%(%): Broker::Data
 	%{
 	return bro_broker::make_data_val(broker::set());
 	%}
 
-## Remove all elements within a set.
-##
-## s: the set to clear.
-##
-## Returns: always true.
-function BrokerComm::set_clear%(s: BrokerComm::Data%): bool
+function Broker::__set_clear%(s: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
@@ -211,26 +125,14 @@ function BrokerComm::set_clear%(s: BrokerComm::Data%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Get the number of elements within a set.
-##
-## s: the set to query.
-##
-## Returns: the number of elements in the set.
-function BrokerComm::set_size%(s: BrokerComm::Data%): count
+function Broker::__set_size%(s: Broker::Data%): count
 	%{
 	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
 	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
 
-## Check if a set contains a particular element.
-##
-## s: the set to query.
-##
-## key: the element to check for existence.
-##
-## Returns: true if the key exists in the set.
-function BrokerComm::set_contains%(s: BrokerComm::Data, key: BrokerComm::Data%): bool
+function Broker::__set_contains%(s: Broker::Data, key: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
@@ -238,14 +140,7 @@ function BrokerComm::set_contains%(s: BrokerComm::Data, key: BrokerComm::Data%):
 	return new Val(v.find(k) != v.end(), TYPE_BOOL);
 	%}
 
-## Insert an element into a set.
-##
-## s: the set to modify.
-##
-## key: the element to insert.
-##
-## Returns: true if the key was inserted, or false if it already existed.
-function BrokerComm::set_insert%(s: BrokerComm::Data, key: BrokerComm::Data%): bool
+function Broker::__set_insert%(s: Broker::Data, key: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
@@ -253,14 +148,7 @@ function BrokerComm::set_insert%(s: BrokerComm::Data, key: BrokerComm::Data%): b
 	return new Val(v.insert(k).second, TYPE_BOOL);
 	%}
 
-## Remove an element from a set.
-##
-## s: the set to modify.
-##
-## key: the element to remove.
-##
-## Returns: true if the element existed in the set and is now removed.
-function BrokerComm::set_remove%(s: BrokerComm::Data, key: BrokerComm::Data%): bool
+function Broker::__set_remove%(s: Broker::Data, key: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
@@ -268,37 +156,18 @@ function BrokerComm::set_remove%(s: BrokerComm::Data, key: BrokerComm::Data%): b
 	return new Val(v.erase(k) > 0, TYPE_BOOL);
 	%}
 
-## Create an iterator for a set.  Note that this makes a copy of the set
-## internally to ensure the iterator is always valid.
-##
-## s: the set to iterate over.
-##
-## Returns: an iterator.
-function BrokerComm::set_iterator%(s: BrokerComm::Data%): opaque of BrokerComm::SetIterator
+function Broker::__set_iterator%(s: Broker::Data%): opaque of Broker::SetIterator
 	%{
 	return new bro_broker::SetIterator(s->AsRecordVal(), TYPE_TABLE, frame);
 	%}
 
-## Check if there are no more elements to iterate over.
-##
-## it: an iterator.
-##
-## Returns: true if there are no more elements to iterator over, i.e.
-##          the iterator is one-past-the-final-element.
-function BrokerComm::set_iterator_last%(it: opaque of BrokerComm::SetIterator%): bool
+function Broker::__set_iterator_last%(it: opaque of Broker::SetIterator%): bool
 	%{
 	auto set_it = static_cast<bro_broker::SetIterator*>(it);
 	return new Val(set_it->it == set_it->dat.end(), TYPE_BOOL);
 	%}
 
-## Advance an iterator.
-##
-## it: an iterator.
-##
-## Returns: true if the iterator, after advancing, still references an element
-##          in the collection.  False if the iterator, after advancing, is
-##          one-past-the-final-element.
-function BrokerComm::set_iterator_next%(it: opaque of BrokerComm::SetIterator%): bool
+function Broker::__set_iterator_next%(it: opaque of Broker::SetIterator%): bool
 	%{
 	auto set_it = static_cast<bro_broker::SetIterator*>(it);
 
@@ -309,15 +178,10 @@ function BrokerComm::set_iterator_next%(it: opaque of BrokerComm::SetIterator%):
 	return new Val(set_it->it != set_it->dat.end(), TYPE_BOOL);
 	%}
 
-## Retrieve the data at an iterator's current position.
-##
-## it: an iterator.
-##
-## Returns: element in the collection that the iterator currently references.
-function BrokerComm::set_iterator_value%(it: opaque of BrokerComm::SetIterator%): BrokerComm::Data
+function Broker::__set_iterator_value%(it: opaque of Broker::SetIterator%): Broker::Data
 	%{
 	auto set_it = static_cast<bro_broker::SetIterator*>(it);
-	auto rval = new RecordVal(BifType::Record::BrokerComm::Data);
+	auto rval = new RecordVal(BifType::Record::Broker::Data);
 
 	if ( set_it->it == set_it->dat.end() )
 		{
@@ -331,18 +195,12 @@ function BrokerComm::set_iterator_value%(it: opaque of BrokerComm::SetIterator%)
 	return rval;
 	%}
 
-## Create communication data of type "table".
-function BrokerComm::table_create%(%): BrokerComm::Data
+function Broker::__table_create%(%): Broker::Data
 	%{
 	return bro_broker::make_data_val(broker::table());
 	%}
 
-## Remove all elements within a table.
-##
-## t: the table to clear.
-##
-## Returns: always true.
-function BrokerComm::table_clear%(t: BrokerComm::Data%): bool
+function Broker::__table_clear%(t: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													 TYPE_TABLE, frame);
@@ -350,26 +208,14 @@ function BrokerComm::table_clear%(t: BrokerComm::Data%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Get the number of elements within a table.
-##
-## t: the table to query.
-##
-## Returns: the number of elements in the table.
-function BrokerComm::table_size%(t: BrokerComm::Data%): count
+function Broker::__table_size%(t: Broker::Data%): count
 	%{
 	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													 TYPE_TABLE, frame);
 	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
 
-## Check if a table contains a particular key.
-##
-## t: the table to query.
-##
-## key: the key to check for existence.
-##
-## Returns: true if the key exists in the table.
-function BrokerComm::table_contains%(t: BrokerComm::Data, key: BrokerComm::Data%): bool
+function Broker::__table_contains%(t: Broker::Data, key: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													 TYPE_TABLE, frame);
@@ -377,17 +223,7 @@ function BrokerComm::table_contains%(t: BrokerComm::Data, key: BrokerComm::Data%
 	return new Val(v.find(k) != v.end(), TYPE_BOOL);
 	%}
 
-## Insert a key-value pair into a table.
-##
-## t: the table to modify.
-##
-## key: the key at which to insert the value.
-##
-## val: the value to insert.
-##
-## Returns: true if the key-value pair was inserted, or false if the key
-##          already existed in the table.
-function BrokerComm::table_insert%(t: BrokerComm::Data, key: BrokerComm::Data, val: BrokerComm::Data%): BrokerComm::Data
+function Broker::__table_insert%(t: Broker::Data, key: Broker::Data, val: Broker::Data%): Broker::Data
 	%{
 	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													     TYPE_TABLE, frame);
@@ -404,19 +240,11 @@ function BrokerComm::table_insert%(t: BrokerComm::Data, key: BrokerComm::Data, v
 	catch (const std::out_of_range&)
 		{
 		table[k] = v;
-		return new RecordVal(BifType::Record::BrokerComm::Data);
+		return new RecordVal(BifType::Record::Broker::Data);
 		}
 	%}
 
-## Remove a key-value pair from a table.
-##
-## t: the table to modify.
-##
-## key: the key to remove from the table.
-##
-## Returns: the value associated with the key.  If the key did not exist, then
-##          the optional field of the returned record is not set.
-function BrokerComm::table_remove%(t: BrokerComm::Data, key: BrokerComm::Data%): BrokerComm::Data
+function Broker::__table_remove%(t: Broker::Data, key: Broker::Data%): Broker::Data
 	%{
 	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													     TYPE_TABLE, frame);
@@ -424,7 +252,7 @@ function BrokerComm::table_remove%(t: BrokerComm::Data, key: BrokerComm::Data%):
 	auto it = table.find(k);
 
 	if ( it == table.end() )
-		return new RecordVal(BifType::Record::BrokerComm::Data);
+		return new RecordVal(BifType::Record::Broker::Data);
 	else
 		{
 		auto rval = bro_broker::make_data_val(move(it->second));
@@ -433,15 +261,7 @@ function BrokerComm::table_remove%(t: BrokerComm::Data, key: BrokerComm::Data%):
 		}
 	%}
 
-## Retrieve a value from a table.
-##
-## t: the table to query.
-##
-## key: the key to lookup.
-##
-## Returns: the value associated with the key.  If the key did not exist, then
-##          the optional field of the returned record is not set.
-function BrokerComm::table_lookup%(t: BrokerComm::Data, key: BrokerComm::Data%): BrokerComm::Data
+function Broker::__table_lookup%(t: Broker::Data, key: Broker::Data%): Broker::Data
 	%{
 	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													     TYPE_TABLE, frame);
@@ -449,42 +269,23 @@ function BrokerComm::table_lookup%(t: BrokerComm::Data, key: BrokerComm::Data%):
 	auto it = table.find(k);
 
 	if ( it == table.end() )
-		return new RecordVal(BifType::Record::BrokerComm::Data);
+		return new RecordVal(BifType::Record::Broker::Data);
 	else
 		return bro_broker::make_data_val(it->second);
 	%}
 
-## Create an iterator for a table.  Note that this makes a copy of the table
-## internally to ensure the iterator is always valid.
-##
-## t: the table to iterate over.
-##
-## Returns: an iterator.
-function BrokerComm::table_iterator%(t: BrokerComm::Data%): opaque of BrokerComm::TableIterator
+function Broker::__table_iterator%(t: Broker::Data%): opaque of Broker::TableIterator
 	%{
 	return new bro_broker::TableIterator(t->AsRecordVal(), TYPE_TABLE, frame);
 	%}
 
-## Check if there are no more elements to iterate over.
-##
-## it: an iterator.
-##
-## Returns: true if there are no more elements to iterator over, i.e.
-##          the iterator is one-past-the-final-element.
-function BrokerComm::table_iterator_last%(it: opaque of BrokerComm::TableIterator%): bool
+function Broker::__table_iterator_last%(it: opaque of Broker::TableIterator%): bool
 	%{
 	auto ti = static_cast<bro_broker::TableIterator*>(it);
 	return new Val(ti->it == ti->dat.end(), TYPE_BOOL);
 	%}
 
-## Advance an iterator.
-##
-## it: an iterator.
-##
-## Returns: true if the iterator, after advancing, still references an element
-##          in the collection.  False if the iterator, after advancing, is
-##          one-past-the-final-element.
-function BrokerComm::table_iterator_next%(it: opaque of BrokerComm::TableIterator%): bool
+function Broker::__table_iterator_next%(it: opaque of Broker::TableIterator%): bool
 	%{
 	auto ti = static_cast<bro_broker::TableIterator*>(it);
 
@@ -495,17 +296,12 @@ function BrokerComm::table_iterator_next%(it: opaque of BrokerComm::TableIterato
 	return new Val(ti->it != ti->dat.end(), TYPE_BOOL);
 	%}
 
-## Retrieve the data at an iterator's current position.
-##
-## it: an iterator.
-##
-## Returns: element in the collection that the iterator currently references.
-function BrokerComm::table_iterator_value%(it: opaque of BrokerComm::TableIterator%): BrokerComm::TableItem
+function Broker::__table_iterator_value%(it: opaque of Broker::TableIterator%): Broker::TableItem
 	%{
 	auto ti = static_cast<bro_broker::TableIterator*>(it);
-	auto rval = new RecordVal(BifType::Record::BrokerComm::TableItem);
-	auto key_val = new RecordVal(BifType::Record::BrokerComm::Data);
-	auto val_val = new RecordVal(BifType::Record::BrokerComm::Data);
+	auto rval = new RecordVal(BifType::Record::Broker::TableItem);
+	auto key_val = new RecordVal(BifType::Record::Broker::Data);
+	auto val_val = new RecordVal(BifType::Record::Broker::Data);
 	rval->Assign(0, key_val);
 	rval->Assign(1, val_val);
 
@@ -522,18 +318,12 @@ function BrokerComm::table_iterator_value%(it: opaque of BrokerComm::TableIterat
 	return rval;
 	%}
 
-## Create communication data of type "vector".
-function BrokerComm::vector_create%(%): BrokerComm::Data
+function Broker::__vector_create%(%): Broker::Data
 	%{
 	return bro_broker::make_data_val(broker::vector());
 	%}
 
-## Remove all elements within a vector.
-##
-## v: the vector to clear.
-##
-## Returns: always true.
-function BrokerComm::vector_clear%(v: BrokerComm::Data%): bool
+function Broker::__vector_clear%(v: Broker::Data%): bool
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
@@ -541,30 +331,14 @@ function BrokerComm::vector_clear%(v: BrokerComm::Data%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Get the number of elements within a vector.
-##
-## v: the vector to query.
-##
-## Returns: the number of elements in the vector.
-function BrokerComm::vector_size%(v: BrokerComm::Data%): count
+function Broker::__vector_size%(v: Broker::Data%): count
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
 	return new Val(static_cast<uint64_t>(vec.size()), TYPE_COUNT);
 	%}
 
-## Insert an element into a vector at a particular position, possibly displacing
-## existing elements (insertion always grows the size of the vector by one).
-##
-## v: the vector to modify.
-##
-## d: the element to insert.
-##
-## idx: the index at which to insert the data.  If it is greater than the
-##      current size of the vector, the element is inserted at the end.
-##
-## Returns: always true.
-function BrokerComm::vector_insert%(v: BrokerComm::Data, d: BrokerComm::Data, idx: count%): bool
+function Broker::__vector_insert%(v: Broker::Data, d: Broker::Data, idx: count%): bool
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
@@ -574,101 +348,56 @@ function BrokerComm::vector_insert%(v: BrokerComm::Data, d: BrokerComm::Data, id
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Replace an element in a vector at a particular position.
-##
-## v: the vector to modify.
-##
-## d: the element to insert.
-##
-## idx: the index to replace.
-##
-## Returns: the value that was just evicted.  If the index was larger than any
-##          valid index, the optional field of the returned record is not set.
-function BrokerComm::vector_replace%(v: BrokerComm::Data, d: BrokerComm::Data, idx: count%): BrokerComm::Data
+function Broker::__vector_replace%(v: Broker::Data, d: Broker::Data, idx: count%): Broker::Data
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
 	auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame);
 
 	if ( idx >= vec.size() )
-		return new RecordVal(BifType::Record::BrokerComm::Data);
+		return new RecordVal(BifType::Record::Broker::Data);
 
 	auto rval = bro_broker::make_data_val(move(vec[idx]));
 	vec[idx] = item;
 	return rval;
 	%}
 
-## Remove an element from a vector at a particular position.
-##
-## v: the vector to modify.
-##
-## idx: the index to remove.
-##
-## Returns: the value that was just evicted.  If the index was larger than any
-##          valid index, the optional field of the returned record is not set.
-function BrokerComm::vector_remove%(v: BrokerComm::Data, idx: count%): BrokerComm::Data
+function Broker::__vector_remove%(v: Broker::Data, idx: count%): Broker::Data
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
 
 	if ( idx >= vec.size() )
-		return new RecordVal(BifType::Record::BrokerComm::Data);
+		return new RecordVal(BifType::Record::Broker::Data);
 
 	auto rval = bro_broker::make_data_val(move(vec[idx]));
 	vec.erase(vec.begin() + idx);
 	return rval;
 	%}
 
-## Lookup an element in a vector at a particular position.
-##
-## v: the vector to query.
-##
-## idx: the index to lookup.
-##
-## Returns: the value at the index.  If the index was larger than any
-##          valid index, the optional field of the returned record is not set.
-function BrokerComm::vector_lookup%(v: BrokerComm::Data, idx: count%): BrokerComm::Data
+function Broker::__vector_lookup%(v: Broker::Data, idx: count%): Broker::Data
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
 
 	if ( idx >= vec.size() )
-		return new RecordVal(BifType::Record::BrokerComm::Data);
+		return new RecordVal(BifType::Record::Broker::Data);
 
 	return bro_broker::make_data_val(vec[idx]);
 	%}
 
-## Create an iterator for a vector.  Note that this makes a copy of the vector
-## internally to ensure the iterator is always valid.
-##
-## v: the vector to iterate over.
-##
-## Returns: an iterator.
-function BrokerComm::vector_iterator%(v: BrokerComm::Data%): opaque of BrokerComm::VectorIterator
+function Broker::__vector_iterator%(v: Broker::Data%): opaque of Broker::VectorIterator
 	%{
 	return new bro_broker::VectorIterator(v->AsRecordVal(), TYPE_VECTOR, frame);
 	%}
 
-## Check if there are no more elements to iterate over.
-##
-## it: an iterator.
-##
-## Returns: true if there are no more elements to iterator over, i.e.
-##          the iterator is one-past-the-final-element.
-function BrokerComm::vector_iterator_last%(it: opaque of BrokerComm::VectorIterator%): bool
+function Broker::__vector_iterator_last%(it: opaque of Broker::VectorIterator%): bool
 	%{
 	auto vi = static_cast<bro_broker::VectorIterator*>(it);
 	return new Val(vi->it == vi->dat.end(), TYPE_BOOL);
 	%}
 
-## Advance an iterator.
-##
-## it: an iterator.
-##
-## Returns: true if the iterator, after advancing, still references an element
-##          in the collection.  False if the iterator, after advancing, is
-##          one-past-the-final-element.
-function BrokerComm::vector_iterator_next%(it: opaque of BrokerComm::VectorIterator%): bool
+function Broker::__vector_iterator_next%(it: opaque of Broker::VectorIterator%): bool
 	%{
 	auto vi = static_cast<bro_broker::VectorIterator*>(it);
 
@@ -679,15 +408,10 @@ function BrokerComm::vector_iterator_next%(it: opaque of BrokerComm::VectorItera
 	return new Val(vi->it != vi->dat.end(), TYPE_BOOL);
 	%}
 
-## Retrieve the data at an iterator's current position.
-##
-## it: an iterator.
-##
-## Returns: element in the collection that the iterator currently references.
-function BrokerComm::vector_iterator_value%(it: opaque of BrokerComm::VectorIterator%): BrokerComm::Data
+function Broker::__vector_iterator_value%(it: opaque of Broker::VectorIterator%): Broker::Data
 	%{
 	auto vi = static_cast<bro_broker::VectorIterator*>(it);
-	auto rval = new RecordVal(BifType::Record::BrokerComm::Data);
+	auto rval = new RecordVal(BifType::Record::Broker::Data);
 
 	if ( vi->it == vi->dat.end() )
 		{
@@ -701,38 +425,19 @@ function BrokerComm::vector_iterator_value%(it: opaque of BrokerComm::VectorIter
 	return rval;
 	%}
 
-## Create communication data of type "record".
-##
-## sz: the number of fields in the record.
-##
-## Returns: record data, with all fields uninitialized.
-function BrokerComm::record_create%(sz: count%): BrokerComm::Data
+function Broker::__record_create%(sz: count%): Broker::Data
 	%{
 	return bro_broker::make_data_val(broker::record(std::vector<broker::record::field>(sz)));
 	%}
 
-## Get the number of fields within a record.
-##
-## r: the record to query.
-##
-## Returns: the number of fields in the record.
-function BrokerComm::record_size%(r: BrokerComm::Data%): count
+function Broker::__record_size%(r: Broker::Data%): count
 	%{
 	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
 													  TYPE_RECORD, frame);
 	return new Val(static_cast<uint64_t>(v.fields.size()), TYPE_COUNT);
 	%}
 
-## Replace a field in a record at a particular position.
-##
-## r: the record to modify.
-##
-## d: the new field value to assign.
-##
-## idx: the index to replace.
-##
-## Returns: false if the index was larger than any valid index, else true.
-function BrokerComm::record_assign%(r: BrokerComm::Data, d: BrokerComm::Data, idx: count%): bool
+function Broker::__record_assign%(r: Broker::Data, d: Broker::Data, idx: count%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
 													  TYPE_RECORD, frame);
@@ -745,60 +450,32 @@ function BrokerComm::record_assign%(r: BrokerComm::Data, d: BrokerComm::Data, id
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Lookup a field in a record at a particular position.
-##
-## r: the record to query.
-##
-## idx: the index to lookup.
-##
-## Returns: the value at the index.  The optional field of the returned record
-##          may not be set if the field of the record has no value or if the
-##          index was not valid.
-function BrokerComm::record_lookup%(r: BrokerComm::Data, idx: count%): BrokerComm::Data
+function Broker::__record_lookup%(r: Broker::Data, idx: count%): Broker::Data
 	%{
 	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
 													  TYPE_RECORD, frame);
 
 	if ( idx >= v.size() )
-		return new RecordVal(BifType::Record::BrokerComm::Data);
+		return new RecordVal(BifType::Record::Broker::Data);
 
 	if ( ! v.fields[idx] )
-		return new RecordVal(BifType::Record::BrokerComm::Data);
+		return new RecordVal(BifType::Record::Broker::Data);
 
 	return bro_broker::make_data_val(*v.fields[idx]);
 	%}
 
-## Create an iterator for a record.  Note that this makes a copy of the record
-## internally to ensure the iterator is always valid.
-##
-## r: the record to iterate over.
-##
-## Returns: an iterator.
-function BrokerComm::record_iterator%(r: BrokerComm::Data%): opaque of BrokerComm::RecordIterator
+function Broker::__record_iterator%(r: Broker::Data%): opaque of Broker::RecordIterator
 	%{
 	return new bro_broker::RecordIterator(r->AsRecordVal(), TYPE_RECORD, frame);
 	%}
 
-## Check if there are no more elements to iterate over.
-##
-## it: an iterator.
-##
-## Returns: true if there are no more elements to iterator over, i.e.
-##          the iterator is one-past-the-final-element.
-function BrokerComm::record_iterator_last%(it: opaque of BrokerComm::RecordIterator%): bool
+function Broker::__record_iterator_last%(it: opaque of Broker::RecordIterator%): bool
 	%{
 	auto ri = static_cast<bro_broker::RecordIterator*>(it);
 	return new Val(ri->it == ri->dat.fields.end(), TYPE_BOOL);
 	%}
 
-## Advance an iterator.
-##
-## it: an iterator.
-##
-## Returns: true if the iterator, after advancing, still references an element
-##          in the collection.  False if the iterator, after advancing, is
-##          one-past-the-final-element.
-function BrokerComm::record_iterator_next%(it: opaque of BrokerComm::RecordIterator%): bool
+function Broker::__record_iterator_next%(it: opaque of Broker::RecordIterator%): bool
 	%{
 	auto ri = static_cast<bro_broker::RecordIterator*>(it);
 
@@ -809,15 +486,10 @@ function BrokerComm::record_iterator_next%(it: opaque of BrokerComm::RecordItera
 	return new Val(ri->it != ri->dat.fields.end(), TYPE_BOOL);
 	%}
 
-## Retrieve the data at an iterator's current position.
-##
-## it: an iterator.
-##
-## Returns: element in the collection that the iterator currently references.
-function BrokerComm::record_iterator_value%(it: opaque of BrokerComm::RecordIterator%): BrokerComm::Data
+function Broker::__record_iterator_value%(it: opaque of Broker::RecordIterator%): Broker::Data
 	%{
 	auto ri = static_cast<bro_broker::RecordIterator*>(it);
-	auto rval = new RecordVal(BifType::Record::BrokerComm::Data);
+	auto rval = new RecordVal(BifType::Record::Broker::Data);
 
 	if ( ri->it == ri->dat.fields.end() )
 		{
diff --git a/src/broker/messaging.bif b/src/broker/messaging.bif
index 97b794b50e..dadece9681 100644
--- a/src/broker/messaging.bif
+++ b/src/broker/messaging.bif
@@ -6,209 +6,106 @@
 #include "logging/Manager.h"
 %%}
 
-module BrokerComm;
+module Broker;
 
-type BrokerComm::SendFlags: record;
+type Broker::SendFlags: record;
 
-type BrokerComm::EventArgs: record;
+type Broker::EventArgs: record;
 
 ## Used to handle remote print messages from peers that call
-## :bro:see:`BrokerComm::print`.
-event BrokerComm::print_handler%(msg: string%);
+## :bro:see:`Broker::send_print`.
+event Broker::print_handler%(msg: string%);
 
-## Print a simple message to any interested peers.  The receiver can use
-## :bro:see:`BrokerComm::print_handler` to handle messages.
-##
-## topic: a topic associated with the printed message.
-##
-## msg: the print message to send to peers.
-##
-## flags: tune the behavior of how the message is sent.
-##
-## Returns: true if the message is sent.
-function BrokerComm::print%(topic: string, msg: string,
-                      flags: SendFlags &default = SendFlags()%): bool
+function Broker::__send_print%(topic: string, msg: string, flags: Broker::SendFlags%): bool
 	%{
 	auto rval = broker_mgr->Print(topic->CheckString(), msg->CheckString(),
 	                            flags);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Register interest in all peer print messages that use a certain topic prefix.
-## Use :bro:see:`BrokerComm::print_handler` to handle received messages.
-##
-## topic_prefix: a prefix to match against remote message topics.
-##               e.g. an empty prefix matches everything and "a" matches
-##               "alice" and "amy" but not "bob".
-##
-## Returns: true if it's a new print subscription and it is now registered.
-function BrokerComm::subscribe_to_prints%(topic_prefix: string%): bool
+function Broker::__subscribe_to_prints%(topic_prefix: string%): bool
 	%{
 	auto rval = broker_mgr->SubscribeToPrints(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Unregister interest in all peer print messages that use a topic prefix.
-##
-## topic_prefix: a prefix previously supplied to a successful call to
-##               :bro:see:`BrokerComm::subscribe_to_prints`.
-##
-## Returns: true if interest in the topic prefix is no longer advertised.
-function BrokerComm::unsubscribe_to_prints%(topic_prefix: string%): bool
+function Broker::__unsubscribe_to_prints%(topic_prefix: string%): bool
 	%{
 	auto rval = broker_mgr->UnsubscribeToPrints(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
 ## Create a data structure that may be used to send a remote event via
-## :bro:see:`BrokerComm::event`.
+## :bro:see:`Broker::send_event`.
 ##
 ## args: an event, followed by a list of argument values that may be used
 ##       to call it.
 ##
-## Returns: opaque communication data that may be used to send a remote event.
-function BrokerComm::event_args%(...%): BrokerComm::EventArgs
+## Returns: opaque communication data that may be used to send a remote
+##          event.
+function Broker::event_args%(...%): Broker::EventArgs
 	%{
 	auto rval = broker_mgr->MakeEventArgs(@ARGS@);
 	return rval;
 	%}
 
-## Send an event to any interested peers.
-##
-## topic: a topic associated with the event message.
-##
-## args: event arguments as made by :bro:see:`BrokerComm::event_args`.
-##
-## flags: tune the behavior of how the message is sent.
-##
-## Returns: true if the message is sent.
-function BrokerComm::event%(topic: string, args: BrokerComm::EventArgs,
-                      flags: SendFlags &default = SendFlags()%): bool
+function Broker::__event%(topic: string, args: Broker::EventArgs, flags: Broker::SendFlags%): bool
 	%{
 	auto rval = broker_mgr->Event(topic->CheckString(), args->AsRecordVal(),
 	                            flags);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Automatically send an event to any interested peers whenever it is
-## locally dispatched (e.g. using "event my_event(...);" in a script).
-##
-## topic: a topic string associated with the event message.
-##        Peers advertise interest by registering a subscription to some prefix
-##        of this topic name.
-##
-## ev: a Bro event value.
-##
-## flags: tune the behavior of how the message is sent.
-##
-## Returns: true if automatic event sending is now enabled.
-function BrokerComm::auto_event%(topic: string, ev: any,
-                           flags: SendFlags &default = SendFlags()%): bool
+function Broker::__auto_event%(topic: string, ev: any, flags: Broker::SendFlags%): bool
 	%{
 	auto rval = broker_mgr->AutoEvent(topic->CheckString(), ev, flags);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Stop automatically sending an event to peers upon local dispatch.
-##
-## topic: a topic originally given to :bro:see:`BrokerComm::auto_event`.
-##
-## ev: an event originally given to :bro:see:`BrokerComm::auto_event`.
-##
-## Returns: true if automatic events will not occur for the topic/event pair.
-function BrokerComm::auto_event_stop%(topic: string, ev: any%): bool
+function Broker::__auto_event_stop%(topic: string, ev: any%): bool
 	%{
 	auto rval = broker_mgr->AutoEventStop(topic->CheckString(), ev);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Register interest in all peer event messages that use a certain topic prefix.
-##
-## topic_prefix: a prefix to match against remote message topics.
-##               e.g. an empty prefix matches everything and "a" matches
-##               "alice" and "amy" but not "bob".
-##
-## Returns: true if it's a new event subscription and it is now registered.
-function BrokerComm::subscribe_to_events%(topic_prefix: string%): bool
+function Broker::__subscribe_to_events%(topic_prefix: string%): bool
 	%{
 	auto rval = broker_mgr->SubscribeToEvents(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Unregister interest in all peer event messages that use a topic prefix.
-##
-## topic_prefix: a prefix previously supplied to a successful call to
-##               :bro:see:`BrokerComm::subscribe_to_events`.
-##
-## Returns: true if interest in the topic prefix is no longer advertised.
-function BrokerComm::unsubscribe_to_events%(topic_prefix: string%): bool
+function Broker::__unsubscribe_to_events%(topic_prefix: string%): bool
 	%{
 	auto rval = broker_mgr->UnsubscribeToEvents(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Enable remote logs for a given log stream.
-##
-## id: the log stream to enable remote logs for.
-##
-## flags: tune the behavior of how log entry messages are sent.
-##
-## Returns: true if remote logs are enabled for the stream.
-function
-BrokerComm::enable_remote_logs%(id: Log::ID,
-                          flags: SendFlags &default = SendFlags()%): bool
+function Broker::__enable_remote_logs%(id: Log::ID, flags: Broker::SendFlags%): bool
 	%{
 	auto rval = log_mgr->EnableRemoteLogs(id->AsEnumVal(),
 	                                   bro_broker::Manager::send_flags_to_int(flags));
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Disable remote logs for a given log stream.
-##
-## id: the log stream to disable remote logs for.
-##
-## Returns: true if remote logs are disabled for the stream.
-function BrokerComm::disable_remote_logs%(id: Log::ID%): bool
+function Broker::__disable_remote_logs%(id: Log::ID%): bool
 	%{
 	auto rval = log_mgr->DisableRemoteLogs(id->AsEnumVal());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Check if remote logs are enabled for a given log stream.
-##
-## id: the log stream to check.
-##
-## Returns: true if remote logs are enabled for the given stream.
-function BrokerComm::remote_logs_enabled%(id: Log::ID%): bool
+function Broker::__remote_logs_enabled%(id: Log::ID%): bool
 	%{
 	auto rval = log_mgr->RemoteLogsAreEnabled(id->AsEnumVal());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Register interest in all peer log messages that use a certain topic prefix.
-## Logs are implicitly sent with topic "bro/log/<stream-name>" and the
-## receiving side processes them through the logging framework as usual.
-##
-## topic_prefix: a prefix to match against remote message topics.
-##               e.g. an empty prefix matches everything and "a" matches
-##               "alice" and "amy" but not "bob".
-##
-## Returns: true if it's a new log subscription and it is now registered.
-function BrokerComm::subscribe_to_logs%(topic_prefix: string%): bool
+function Broker::__subscribe_to_logs%(topic_prefix: string%): bool
 	%{
 	auto rval = broker_mgr->SubscribeToLogs(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Unregister interest in all peer log messages that use a topic prefix.
-## Logs are implicitly sent with topic "bro/log/<stream-name>" and the
-## receiving side processes them through the logging framework as usual.
-##
-## topic_prefix: a prefix previously supplied to a successful call to
-##               :bro:see:`BrokerComm::subscribe_to_logs`.
-##
-## Returns: true if interest in the topic prefix is no longer advertised.
-function BrokerComm::unsubscribe_to_logs%(topic_prefix: string%): bool
+function Broker::__unsubscribe_to_logs%(topic_prefix: string%): bool
 	%{
 	auto rval = broker_mgr->UnsubscribeToLogs(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
diff --git a/src/broker/store.bif b/src/broker/store.bif
index 853bd1f2d7..6d7ddea6af 100644
--- a/src/broker/store.bif
+++ b/src/broker/store.bif
@@ -8,13 +8,13 @@
 #include "Trigger.h"
 %%}
 
-module BrokerStore;
+module Broker;
 
-type BrokerStore::ExpiryTime: record;
+type Broker::ExpiryTime: record;
 
-type BrokerStore::QueryResult: record;
+type Broker::QueryResult: record;
 
-type BrokerStore::BackendOptions: record;
+type Broker::BackendOptions: record;
 
 ## Enumerates the possible storage backends.
 enum BackendType %{
@@ -23,17 +23,8 @@ enum BackendType %{
 	ROCKSDB,
 %}
 
-## Create a master data store which contains key-value pairs.
-##
-## id: a unique name for the data store.
-##
-## b: the storage backend to use.
-##
-## options: tunes how some storage backends operate.
-##
-## Returns: a handle to the data store.
-function BrokerStore::create_master%(id: string, b: BackendType &default = MEMORY,
-                               options: BackendOptions &default = BackendOptions()%): opaque of BrokerStore::Handle
+function Broker::__create_master%(id: string, b: BackendType,
+                               options: BackendOptions &default = BackendOptions()%): opaque of Broker::Handle
 	%{
 	auto id_str = id->CheckString();
 	auto type = bro_broker::StoreType::MASTER;
@@ -46,38 +37,16 @@ function BrokerStore::create_master%(id: string, b: BackendType &default = MEMOR
 		}
 
 	rval = new bro_broker::StoreHandleVal(id_str, type,
-	                                static_cast<BifEnum::BrokerStore::BackendType>(b->AsEnum()),
+	                                static_cast<BifEnum::Broker::BackendType>(b->AsEnum()),
 	                                options->AsRecordVal());
 	auto added = broker_mgr->AddStore(rval);
 	assert(added);
 	return rval;
 	%}
 
-## Create a clone of a master data store which may live with a remote peer.
-## A clone automatically synchronizes to the master by automatically receiving
-## modifications and applying them locally.  Direct modifications are not
-## possible, they must be sent through the master store, which then
-## automatically broadcasts the changes out to clones.  But queries may be made
-## directly against the local cloned copy, which may be resolved quicker than
-## reaching out to a remote master store.
-##
-## id: the unique name which identifies the master data store.
-##
-## b: the storage backend to use.
-##
-## options: tunes how some storage backends operate.
-##
-## resync: the interval at which to re-attempt synchronizing with the master
-##         store should the connection be lost.  If the clone has not yet
-##         synchronized for the first time, updates and queries queue up until
-##         the synchronization completes.  After, if the connection to the
-##         master store is lost, queries continue to use the clone's version,
-##         but updates will be lost until the master is once again available.
-##
-## Returns: a handle to the data store.
-function BrokerStore::create_clone%(id: string, b: BackendType &default = MEMORY,
+function Broker::__create_clone%(id: string, b: BackendType,
                               options: BackendOptions &default = BackendOptions(),
-                              resync: interval &default = 1sec%): opaque of BrokerStore::Handle
+                              resync: interval &default = 1sec%): opaque of Broker::Handle
 	%{
 	auto id_str = id->CheckString();
 	auto type = bro_broker::StoreType::CLONE;
@@ -90,7 +59,7 @@ function BrokerStore::create_clone%(id: string, b: BackendType &default = MEMORY
 		}
 
 	rval = new bro_broker::StoreHandleVal(id_str, type,
-	                                static_cast<BifEnum::BrokerStore::BackendType>(b->AsEnum()),
+	                                static_cast<BifEnum::Broker::BackendType>(b->AsEnum()),
 	                                options->AsRecordVal(),
 	                                std::chrono::duration<double>(resync));
 	auto added = broker_mgr->AddStore(rval);
@@ -98,13 +67,7 @@ function BrokerStore::create_clone%(id: string, b: BackendType &default = MEMORY
 	return rval;
 	%}
 
-## Create a frontend interface to an existing master data store that allows
-## querying and updating its contents.
-##
-## id: the unique name which identifies the master data store.
-##
-## Returns: a handle to the data store.
-function BrokerStore::create_frontend%(id: string%): opaque of BrokerStore::Handle
+function Broker::__create_frontend%(id: string%): opaque of Broker::Handle
 	%{
 	auto id_str = id->CheckString();
 	auto type = bro_broker::StoreType::FRONTEND;
@@ -122,13 +85,7 @@ function BrokerStore::create_frontend%(id: string%): opaque of BrokerStore::Hand
 	return rval;
 	%}
 
-## Close a data store.
-##
-## h: a data store handle.
-##
-## Returns: true if store was valid and is now closed.  The handle can no
-##          longer be used for data store operations.
-function BrokerStore::close_by_handle%(h: opaque of BrokerStore::Handle%): bool
+function Broker::__close_by_handle%(h: opaque of Broker::Handle%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -143,20 +100,9 @@ function BrokerStore::close_by_handle%(h: opaque of BrokerStore::Handle%): bool
 # non-blocking update API #
 ###########################
 
-## Insert a key-value pair in to the store.
-##
-## h: the handle of the store to modify.
-##
-## k: the key to insert.
-##
-## v: the value to insert.
-##
-## e: the expiration time of the key-value pair.
-##
-## Returns: false if the store handle was not valid.
-function BrokerStore::insert%(h: opaque of BrokerStore::Handle,
-                        k: BrokerComm::Data, v: BrokerComm::Data,
-                        e: BrokerStore::ExpiryTime &default = BrokerStore::ExpiryTime()%): bool
+function Broker::__insert%(h: opaque of Broker::Handle,
+                        k: Broker::Data, v: Broker::Data,
+                        e: Broker::ExpiryTime &default = Broker::ExpiryTime()%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -191,14 +137,7 @@ function BrokerStore::insert%(h: opaque of BrokerStore::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Remove a key-value pair from the store.
-##
-## h: the handle of the store to modify.
-##
-## k: the key to remove.
-##
-## Returns: false if the store handle was not valid.
-function BrokerStore::erase%(h: opaque of BrokerStore::Handle, k: BrokerComm::Data%): bool
+function Broker::__erase%(h: opaque of Broker::Handle, k: Broker::Data%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -210,12 +149,7 @@ function BrokerStore::erase%(h: opaque of BrokerStore::Handle, k: BrokerComm::Da
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Remove all key-value pairs from the store.
-##
-## h: the handle of the store to modify.
-##
-## Returns: false if the store handle was not valid.
-function BrokerStore::clear%(h: opaque of BrokerStore::Handle%): bool
+function Broker::__clear%(h: opaque of Broker::Handle%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -226,18 +160,8 @@ function BrokerStore::clear%(h: opaque of BrokerStore::Handle%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Increment an integer value in a data store.
-##
-## h: the handle of the store to modify.
-##
-## k: the key whose associated value is to be modified.
-##
-## by: the amount to increment the value by.  A non-existent key will first
-##     create it with an implicit value of zero before incrementing.
-##
-## Returns: false if the store handle was not valid.
-function BrokerStore::increment%(h: opaque of BrokerStore::Handle,
-                           k: BrokerComm::Data, by: int &default = +1%): bool
+function Broker::__increment%(h: opaque of Broker::Handle,
+                           k: Broker::Data, by: int &default = +1%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -249,18 +173,8 @@ function BrokerStore::increment%(h: opaque of BrokerStore::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Decrement an integer value in a data store.
-##
-## h: the handle of the store to modify.
-##
-## k: the key whose associated value is to be modified.
-##
-## by: the amount to decrement the value by.  A non-existent key will first
-##     create it with an implicit value of zero before decrementing.
-##
-## Returns: false if the store handle was not valid.
-function BrokerStore::decrement%(h: opaque of BrokerStore::Handle,
-                           k: BrokerComm::Data, by: int &default = +1%): bool
+function Broker::__decrement%(h: opaque of Broker::Handle,
+                           k: Broker::Data, by: int &default = +1%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -272,18 +186,8 @@ function BrokerStore::decrement%(h: opaque of BrokerStore::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Add an element to a set value in a data store.
-##
-## h: the handle of the store to modify.
-##
-## k: the key whose associated value is to be modified.
-##
-## element: the element to add to the set.  A non-existent key will first
-##          create it with an implicit empty set value before modifying.
-##
-## Returns: false if the store handle was not valid.
-function BrokerStore::add_to_set%(h: opaque of BrokerStore::Handle,
-                            k: BrokerComm::Data, element: BrokerComm::Data%): bool
+function Broker::__add_to_set%(h: opaque of Broker::Handle,
+                            k: Broker::Data, element: Broker::Data%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -296,18 +200,8 @@ function BrokerStore::add_to_set%(h: opaque of BrokerStore::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Remove an element from a set value in a data store.
-##
-## h: the handle of the store to modify.
-##
-## k: the key whose associated value is to be modified.
-##
-## element: the element to remove from the set.  A non-existent key will
-##          implicitly create an empty set value associated with the key.
-##
-## Returns: false if the store handle was not valid.
-function BrokerStore::remove_from_set%(h: opaque of BrokerStore::Handle,
-                                 k: BrokerComm::Data, element: BrokerComm::Data%): bool
+function Broker::__remove_from_set%(h: opaque of Broker::Handle,
+                                 k: Broker::Data, element: Broker::Data%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -320,18 +214,8 @@ function BrokerStore::remove_from_set%(h: opaque of BrokerStore::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Add a new item to the head of a vector value in a data store.
-##
-## h: the handle of store to modify.
-##
-## k: the key whose associated value is to be modified.
-##
-## items: the element to insert in to the vector.  A non-existent key will first
-##        create an empty vector value before modifying.
-##
-## Returns: false if the store handle was not valid.
-function BrokerStore::push_left%(h: opaque of BrokerStore::Handle, k: BrokerComm::Data,
-                           items: BrokerComm::DataVector%): bool
+function Broker::__push_left%(h: opaque of Broker::Handle, k: Broker::Data,
+                           items: Broker::DataVector%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -353,18 +237,8 @@ function BrokerStore::push_left%(h: opaque of BrokerStore::Handle, k: BrokerComm
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Add a new item to the tail of a vector value in a data store.
-##
-## h: the handle of store to modify.
-##
-## k: the key whose associated value is to be modified.
-##
-## items: the element to insert in to the vector.  A non-existent key will first
-##        create an empty vector value before modifying.
-##
-## Returns: false if the store handle was not valid.
-function BrokerStore::push_right%(h: opaque of BrokerStore::Handle, k: BrokerComm::Data,
-                            items: BrokerComm::DataVector%): bool
+function Broker::__push_right%(h: opaque of Broker::Handle, k: Broker::Data,
+                            items: Broker::DataVector%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -401,7 +275,7 @@ static bool prepare_for_query(Val* opaque, Frame* frame,
 	if ( ! (*handle)->store )
 		{
 		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Error("BrokerStore query has an invalid data store");
+		reporter->Error("Broker query has an invalid data store");
 		reporter->PopLocation();
 		return false;
 		}
@@ -411,7 +285,7 @@ static bool prepare_for_query(Val* opaque, Frame* frame,
 	if ( ! trigger )
 		{
 		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Error("BrokerStore queries can only be called inside when-condition");
+		reporter->Error("Broker queries can only be called inside when-condition");
 		reporter->PopLocation();
 		return false;
 		}
@@ -421,7 +295,7 @@ static bool prepare_for_query(Val* opaque, Frame* frame,
 	if ( *timeout < 0 )
 		{
 		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Error("BrokerStore queries must specify a timeout block");
+		reporter->Error("Broker queries must specify a timeout block");
 		reporter->PopLocation();
 		return false;
 		}
@@ -437,15 +311,8 @@ static bool prepare_for_query(Val* opaque, Frame* frame,
 
 %%}
 
-## Pop the head of a data store vector value.
-##
-## h: the handle of the store to query.
-##
-## k: the key associated with the vector to modify.
-##
-## Returns: the result of the query.
-function BrokerStore::pop_left%(h: opaque of BrokerStore::Handle,
-                          k: BrokerComm::Data%): BrokerStore::QueryResult
+function Broker::__pop_left%(h: opaque of Broker::Handle,
+                          k: Broker::Data%): Broker::QueryResult
 	%{
 	if ( ! broker_mgr->Enabled() )
 		return bro_broker::query_result();
@@ -467,15 +334,8 @@ function BrokerStore::pop_left%(h: opaque of BrokerStore::Handle,
 	return 0;
 	%}
 
-## Pop the tail of a data store vector value.
-##
-## h: the handle of the store to query.
-##
-## k: the key associated with the vector to modify.
-##
-## Returns: the result of the query.
-function BrokerStore::pop_right%(h: opaque of BrokerStore::Handle,
-                           k: BrokerComm::Data%): BrokerStore::QueryResult
+function Broker::__pop_right%(h: opaque of Broker::Handle,
+                           k: Broker::Data%): Broker::QueryResult
 	%{
 	if ( ! broker_mgr->Enabled() )
 		return bro_broker::query_result();
@@ -497,15 +357,8 @@ function BrokerStore::pop_right%(h: opaque of BrokerStore::Handle,
 	return 0;
 	%}
 
-## Lookup the value associated with a key in a data store.
-##
-## h: the handle of the store to query.
-##
-## k: the key to lookup.
-##
-## Returns: the result of the query.
-function BrokerStore::lookup%(h: opaque of BrokerStore::Handle,
-                       k: BrokerComm::Data%): BrokerStore::QueryResult
+function Broker::__lookup%(h: opaque of Broker::Handle,
+                       k: Broker::Data%): Broker::QueryResult
 	%{
 	if ( ! broker_mgr->Enabled() )
 		return bro_broker::query_result();
@@ -527,15 +380,8 @@ function BrokerStore::lookup%(h: opaque of BrokerStore::Handle,
 	return 0;
 	%}
 
-## Check if a data store contains a given key.
-##
-## h: the handle of the store to query.
-##
-## k: the key to check for existence.
-##
-## Returns: the result of the query (uses :bro:see:`BrokerComm::BOOL`).
-function BrokerStore::exists%(h: opaque of BrokerStore::Handle,
-                        k: BrokerComm::Data%): BrokerStore::QueryResult
+function Broker::__exists%(h: opaque of Broker::Handle,
+                        k: Broker::Data%): Broker::QueryResult
 	%{
 	if ( ! broker_mgr->Enabled() )
 		return bro_broker::query_result();
@@ -557,12 +403,7 @@ function BrokerStore::exists%(h: opaque of BrokerStore::Handle,
 	return 0;
 	%}
 
-## Retrieve all keys in a data store.
-##
-## h: the handle of the store to query.
-##
-## Returns: the result of the query (uses :bro:see:`BrokerComm::VECTOR`).
-function BrokerStore::keys%(h: opaque of BrokerStore::Handle%): BrokerStore::QueryResult
+function Broker::__keys%(h: opaque of Broker::Handle%): Broker::QueryResult
 	%{
 	double timeout;
 	bro_broker::StoreQueryCallback* cb;
@@ -575,12 +416,7 @@ function BrokerStore::keys%(h: opaque of BrokerStore::Handle%): BrokerStore::Que
 	return 0;
 	%}
 
-## Get the number of key-value pairs in a data store.
-##
-## h: the handle of the store to query.
-##
-## Returns: the result of the query (uses :bro:see:`BrokerComm::COUNT`).
-function BrokerStore::size%(h: opaque of BrokerStore::Handle%): BrokerStore::QueryResult
+function Broker::__size%(h: opaque of Broker::Handle%): Broker::QueryResult
 	%{
 	if ( ! broker_mgr->Enabled() )
 		return bro_broker::query_result();
diff --git a/src/broxygen/Configuration.cc b/src/broxygen/Configuration.cc
index 264e8e6fcb..4780e6ad99 100644
--- a/src/broxygen/Configuration.cc
+++ b/src/broxygen/Configuration.cc
@@ -65,7 +65,7 @@ Config::Config(const string& arg_file, const string& delim)
 		Target* target = target_factory.Create(tokens[0], tokens[2], tokens[1]);
 
 		if ( ! target )
-			reporter->FatalError("unkown Broxygen target type: %s",
+			reporter->FatalError("unknown Broxygen target type: %s",
 			                     tokens[0].c_str());
 
 		targets.push_back(target);
diff --git a/src/cq.c b/src/cq.c
index 8005544400..24f474d928 100644
--- a/src/cq.c
+++ b/src/cq.c
@@ -42,6 +42,7 @@ struct cq_handle {
 	int lowmark;			/* low bucket threshold */
 	int nextbucket;			/* next bucket to check */
 	int noresize;			/* don't resize while we're resizing */
+	uint64_t cumulative_num;	/* cumulative entries ever enqueued */
 	double lastpri;			/* last priority */
 	double ysize;			/* length of a year */
 	double bwidth;			/* width of each bucket */
@@ -175,6 +176,9 @@ cq_enqueue(register struct cq_handle *hp, register double pri,
 	}
 	bp->pri = pri;
 	bp->cookie = cookie;
+
+	++hp->cumulative_num;
+
 	if (++hp->qlen > hp->max_qlen)
 		hp->max_qlen = hp->qlen;
 #ifdef DEBUG
@@ -414,6 +418,12 @@ cq_max_size(struct cq_handle *hp)
 	return hp->max_qlen;
 }
 
+uint64_t
+cq_cumulative_num(struct cq_handle *hp)
+{
+	return hp->cumulative_num;
+}
+
 /* Return without doing anything if we fail to allocate a new bucket array */
 static int
 cq_resize(register struct cq_handle *hp, register int grow)
diff --git a/src/cq.h b/src/cq.h
index 540cccde74..152a7da536 100644
--- a/src/cq.h
+++ b/src/cq.h
@@ -1,3 +1,6 @@
+
+#include <stdint.h>
+
 struct cq_handle *cq_init(double, double);
 void cq_destroy(struct cq_handle *);
 int cq_enqueue(struct cq_handle *, double, void *);
@@ -5,6 +8,7 @@ void *cq_dequeue(struct cq_handle *, double);
 void *cq_remove(struct cq_handle *, double, void *);
 int cq_size(struct cq_handle *);
 int cq_max_size(struct cq_handle *);
+uint64_t cq_cumulative_num(struct cq_handle *);
 unsigned int cq_memory_allocation(void);
 #ifdef DEBUG
 void cq_debug(struct cq_handle *, int);
diff --git a/src/event.bif b/src/event.bif
index ff6ec059fb..49afb86fa4 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -306,10 +306,10 @@ event packet_contents%(c: connection, contents: string%);
 ## t2: The new payload.
 ##
 ## tcp_flags: A string with the TCP flags of the packet triggering the
-## inconsistency. In the string, each character corresponds to one set flag,
-## as follows: ``S`` -> SYN; ``F`` -> FIN; ``R`` -> RST; ``A`` -> ACK; ``P`` ->
-## PUSH. This string will not always be set, only if the information is available;
-## it's "best effort".
+##            inconsistency. In the string, each character corresponds to one
+##            set flag, as follows: ``S`` -> SYN; ``F`` -> FIN; ``R`` -> RST;
+##            ``A`` -> ACK; ``P`` -> PUSH. This string will not always be set,
+##            only if the information is available; it's "best effort".
 ##
 ## .. bro:see:: tcp_rexmit tcp_contents
 event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: string%);
@@ -366,26 +366,6 @@ event ack_above_hole%(c: connection%);
 ##    the two.
 event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
 
-## Summarizes the amount of missing TCP payload at regular intervals.
-## Internally, Bro tracks (1) the number of :bro:id:`ack_above_hole` events,
-## including the number of bytes missing; and (2) the total number of TCP
-## acks seen, with the total volume of bytes that have been acked. This event
-## reports these statistics in :bro:id:`gap_report_freq` intervals for the
-## purpose of determining packet loss.
-##
-## dt: The time that has passed since the last ``gap_report`` interval.
-##
-## info: The gap statistics.
-##
-## .. bro:see:: content_gap ack_above_hole
-##
-## .. note::
-##
-##    Bro comes with a script :doc:`/scripts/policy/misc/capture-loss.bro` that
-##    uses this event to estimate packet loss and report when a predefined
-##    threshold is exceeded.
-event gap_report%(dt: interval, info: gap_info%);
-
 ## Generated when a protocol analyzer confirms that a connection is indeed
 ## using that protocol. Bro's dynamic protocol detection heuristically activates
 ## analyzers as soon as it believes a connection *could* be using a particular
diff --git a/src/file_analysis/FileReassembler.cc b/src/file_analysis/FileReassembler.cc
index 8b678e5209..ba15086320 100644
--- a/src/file_analysis/FileReassembler.cc
+++ b/src/file_analysis/FileReassembler.cc
@@ -8,7 +8,7 @@ namespace file_analysis {
 class File;
 
 FileReassembler::FileReassembler(File *f, uint64 starting_offset)
-	: Reassembler(starting_offset), the_file(f), flushing(false)
+	: Reassembler(starting_offset, REASSEM_FILE), the_file(f), flushing(false)
 	{
 	}
 
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index 93c8e7f613..bcc8ac5dd2 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -302,6 +302,15 @@ public:
 	 */
 	std::string DetectMIME(const u_char* data, uint64 len) const;
 
+	uint64 CurrentFiles()
+		{ return id_map.Length(); }
+
+	uint64 MaxFiles()
+		{ return id_map.MaxLength(); }
+
+	uint64 CumulativeFiles()
+		{ return id_map.NumCumulativeInserts(); }
+
 protected:
 	friend class FileTimer;
 
diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt
index 225504c56a..ef17247997 100644
--- a/src/file_analysis/analyzer/CMakeLists.txt
+++ b/src/file_analysis/analyzer/CMakeLists.txt
@@ -1,4 +1,5 @@
 add_subdirectory(data_event)
+add_subdirectory(entropy)
 add_subdirectory(extract)
 add_subdirectory(hash)
 add_subdirectory(pe)
diff --git a/src/file_analysis/analyzer/entropy/CMakeLists.txt b/src/file_analysis/analyzer/entropy/CMakeLists.txt
new file mode 100644
index 0000000000..38db5e726a
--- /dev/null
+++ b/src/file_analysis/analyzer/entropy/CMakeLists.txt
@@ -0,0 +1,9 @@
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
+                           ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro FileEntropy)
+bro_plugin_cc(Entropy.cc Plugin.cc ../../Analyzer.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_end()
diff --git a/src/file_analysis/analyzer/entropy/Entropy.cc b/src/file_analysis/analyzer/entropy/Entropy.cc
new file mode 100644
index 0000000000..4802224950
--- /dev/null
+++ b/src/file_analysis/analyzer/entropy/Entropy.cc
@@ -0,0 +1,72 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <string>
+
+#include "Entropy.h"
+#include "util.h"
+#include "Event.h"
+#include "file_analysis/Manager.h"
+
+using namespace file_analysis;
+
+Entropy::Entropy(RecordVal* args, File* file)
+    : file_analysis::Analyzer(file_mgr->GetComponentTag("ENTROPY"), args, file)
+	{
+	//entropy->Init();
+	entropy = new EntropyVal;
+	fed = false;
+	}
+
+Entropy::~Entropy()
+	{
+	Unref(entropy);
+	}
+
+file_analysis::Analyzer* Entropy::Instantiate(RecordVal* args, File* file)
+	{
+	return new Entropy(args, file);
+	}
+
+bool Entropy::DeliverStream(const u_char* data, uint64 len)
+	{
+	if ( ! fed )
+		fed = len > 0;
+
+	entropy->Feed(data, len);
+	return true;
+	}
+
+bool Entropy::EndOfFile()
+	{
+	Finalize();
+	return false;
+	}
+
+bool Entropy::Undelivered(uint64 offset, uint64 len)
+	{
+	return false;
+	}
+
+void Entropy::Finalize()
+	{
+	//if ( ! entropy->IsValid() || ! fed )
+	if ( ! fed )
+		return;
+
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+
+	double montepi, scc, ent, mean, chisq;
+	montepi = scc = ent = mean = chisq = 0.0;
+	entropy->Get(&ent, &chisq, &mean, &montepi, &scc);
+
+	RecordVal* ent_result = new RecordVal(entropy_test_result);
+	ent_result->Assign(0, new Val(ent,     TYPE_DOUBLE));
+	ent_result->Assign(1, new Val(chisq,   TYPE_DOUBLE));
+	ent_result->Assign(2, new Val(mean,    TYPE_DOUBLE));
+	ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE));
+	ent_result->Assign(4, new Val(scc,     TYPE_DOUBLE));
+
+	vl->append(ent_result);
+	mgr.QueueEvent(file_entropy, vl);
+	}
diff --git a/src/file_analysis/analyzer/entropy/Entropy.h b/src/file_analysis/analyzer/entropy/Entropy.h
new file mode 100644
index 0000000000..6a5075263c
--- /dev/null
+++ b/src/file_analysis/analyzer/entropy/Entropy.h
@@ -0,0 +1,84 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef FILE_ANALYSIS_ENTROPY_H
+#define FILE_ANALYSIS_ENTROPY_H
+
+#include <string>
+
+#include "Val.h"
+#include "OpaqueVal.h"
+#include "File.h"
+#include "Analyzer.h"
+
+#include "events.bif.h"
+
+namespace file_analysis {
+
+/**
+ * An analyzer to produce a hash of file contents.
+ */
+class Entropy : public file_analysis::Analyzer {
+public:
+
+	/**
+	 * Destructor.
+	 */
+	virtual ~Entropy();
+
+	/**
+	 * Create a new instance of an Extract analyzer.
+	 * @param args the \c AnalyzerArgs value which represents the analyzer.
+	 * @param file the file to which the analyzer will be attached.
+	 * @return the new Extract analyzer instance or a null pointer if the
+	 *         the "extraction_file" field of \a args wasn't set.
+	 */
+	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
+
+	/**
+	 * Incrementally hash next chunk of file contents.
+	 * @param data pointer to start of a chunk of a file data.
+	 * @param len number of bytes in the data chunk.
+	 * @return false if the digest is in an invalid state, else true.
+	 */
+	virtual bool DeliverStream(const u_char* data, uint64 len);
+
+	/**
+	 * Finalizes the hash and raises a "file_entropy_test" event.
+	 * @return always false so analyze will be deteched from file.
+	 */
+	virtual bool EndOfFile();
+
+	/**
+	 * Missing data can't be handled, so just indicate the this analyzer should
+	 * be removed from receiving further data.  The hash will not be finalized.
+	 * @param offset byte offset in file at which missing chunk starts.
+	 * @param len number of missing bytes.
+	 * @return always false so analyzer will detach from file.
+	 */
+	virtual bool Undelivered(uint64 offset, uint64 len);
+
+protected:
+
+	/**
+	 * Constructor.
+	 * @param args the \c AnalyzerArgs value which represents the analyzer.
+	 * @param file the file to which the analyzer will be attached.
+	 * @param hv specific hash calculator object.
+	 * @param kind human readable name of the hash algorithm to use.
+	 */
+	Entropy(RecordVal* args, File* file);
+
+	/**
+	 * If some file contents have been seen, finalizes the hash of them and
+	 * raises the "file_hash" event with the results.
+	 */
+	void Finalize();
+
+private:
+	EntropyVal* entropy;
+	bool fed;
+};
+
+} // namespace file_analysis
+
+#endif
diff --git a/src/file_analysis/analyzer/entropy/Plugin.cc b/src/file_analysis/analyzer/entropy/Plugin.cc
new file mode 100644
index 0000000000..f1dd954cba
--- /dev/null
+++ b/src/file_analysis/analyzer/entropy/Plugin.cc
@@ -0,0 +1,24 @@
+// See the file  in the main distribution directory for copyright.
+
+#include "plugin/Plugin.h"
+
+#include "Entropy.h"
+
+namespace plugin {
+namespace Bro_FileEntropy {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::file_analysis::Component("ENTROPY", ::file_analysis::Entropy::Instantiate));
+
+		plugin::Configuration config;
+		config.name = "Bro::FileEntropy";
+		config.description = "Entropy test file content";
+		return config;
+		}
+} plugin;
+
+}
+}
diff --git a/src/file_analysis/analyzer/entropy/events.bif b/src/file_analysis/analyzer/entropy/events.bif
new file mode 100644
index 0000000000..a51bb3d39b
--- /dev/null
+++ b/src/file_analysis/analyzer/entropy/events.bif
@@ -0,0 +1,8 @@
+## This event is generated each time file analysis performs
+## entropy testing on a file.
+##
+## f: The file.
+##
+## ent: The results of the entropy testing.
+##
+event file_entropy%(f: fa_file, ent: entropy_test_result%);
\ No newline at end of file
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index e8ea5cb7b4..ebf7b1d04f 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -543,7 +543,7 @@ double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime, const char*
 			}
 
 		// year is first two digits in YY format. Buffer expects YYYY format.
-		if ( pString[0] - '0' < 50 ) // RFC 2459 4.1.2.5.1
+		if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1
 			{
 			*(pBuffer++) = '2';
 			*(pBuffer++) = '0';
diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index 6360e440f4..5abba86ea0 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -1204,7 +1204,7 @@ int Manager::SendEntryTable(Stream* i, const Value* const *vals)
 	ih->idxkey = new HashKey(k->Key(), k->Size(), k->Hash());
 	ih->valhash = valhash;
 
-	if ( stream->event && updated )
+	if ( oldval && stream->event && updated )
 		Ref(oldval); // otherwise it is no longer accessible after the assignment
 
 	stream->tab->Assign(idxval, k, valval);
diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc
index 1bbcaea1d9..a1eccc37f5 100644
--- a/src/input/readers/ascii/Ascii.cc
+++ b/src/input/readers/ascii/Ascii.cc
@@ -1,6 +1,5 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include <fstream>
 #include <sstream>
 
 #include <sys/types.h>
@@ -49,25 +48,15 @@ FieldMapping FieldMapping::subType()
 
 Ascii::Ascii(ReaderFrontend *frontend) : ReaderBackend(frontend)
 	{
-	file = 0;
 	mtime = 0;
-	formatter = 0;
 	}
 
 Ascii::~Ascii()
 	{
-	DoClose();
-	delete formatter;
 	}
 
 void Ascii::DoClose()
 	{
-	if ( file != 0 )
-		{
-		file->close();
-		delete(file);
-		file = 0;
-		}
 	}
 
 bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields)
@@ -107,23 +96,19 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 		Error("set_separator length has to be 1. Separator will be truncated.");
 
 	formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field);
-	formatter = new formatter::Ascii(this, sep_info);
+	formatter = unique_ptr<threading::formatter::Formatter>(new formatter::Ascii(this, sep_info));
 
-	file = new ifstream(info.source);
-	if ( ! file->is_open() )
+	file.open(info.source);
+	if ( ! file.is_open() )
 		{
 		Error(Fmt("Init: cannot open %s", info.source));
-		delete(file);
-		file = 0;
 		return false;
 		}
 
 	if ( ReadHeader(false) == false )
 		{
 		Error(Fmt("Init: cannot open %s; headers are incorrect", info.source));
-		file->close();
-		delete(file);
-		file = 0;
+		file.close();
 		return false;
 		}
 
@@ -215,8 +200,14 @@ bool Ascii::ReadHeader(bool useCached)
 
 bool Ascii::GetLine(string& str)
 	{
-	while ( getline(*file, str) )
+	while ( getline(file, str) )
 		{
+		if ( ! str.size() )
+			continue;
+
+		if ( str.back() == '\r' ) // deal with \r\n by removing \r
+			str.pop_back();
+
 		if ( str[0] != '#' )
 			return true;
 
@@ -258,24 +249,22 @@ bool Ascii::DoUpdate()
 			{
 			// dirty, fix me. (well, apparently after trying seeking, etc
 			// - this is not that bad)
-			if ( file && file->is_open() )
+			if ( file.is_open() )
 				{
 				if ( Info().mode == MODE_STREAM )
 					{
-					file->clear(); // remove end of file evil bits
+					file.clear(); // remove end of file evil bits
 					if ( !ReadHeader(true) )
 						return false; // header reading failed
 
 					break;
 					}
 
-				file->close();
-				delete file;
-				file = 0;
+				file.close();
 				}
 
-			file = new ifstream(Info().source);
-			if ( ! file->is_open() )
+			file.open(Info().source);
+			if ( ! file.is_open() )
 				{
 				Error(Fmt("cannot open %s", Info().source));
 				return false;
@@ -296,7 +285,7 @@ bool Ascii::DoUpdate()
 
 	string line;
 
-	file->sync();
+	file.sync();
 
 	while ( GetLine(line) )
 		{
diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h
index fe9bb95845..20a459968d 100644
--- a/src/input/readers/ascii/Ascii.h
+++ b/src/input/readers/ascii/Ascii.h
@@ -5,6 +5,8 @@
 
 #include <iostream>
 #include <vector>
+#include <fstream>
+#include <memory>
 
 #include "input/ReaderBackend.h"
 #include "threading/formatters/Ascii.h"
@@ -33,23 +35,28 @@ struct FieldMapping {
  */
 class Ascii : public ReaderBackend {
 public:
-	Ascii(ReaderFrontend* frontend);
+	explicit Ascii(ReaderFrontend* frontend);
 	~Ascii();
 
+	// prohibit copying and moving
+	Ascii(const Ascii&) = delete;
+	Ascii(Ascii&&) = delete;
+	Ascii& operator=(const Ascii&) = delete;
+	Ascii& operator=(Ascii&&) = delete;
+
 	static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Ascii(frontend); }
 
 protected:
-	virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields);
-	virtual void DoClose();
-	virtual bool DoUpdate();
-	virtual bool DoHeartbeat(double network_time, double current_time);
+	bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields) override;
+	void DoClose() override;
+	bool DoUpdate() override;
+	bool DoHeartbeat(double network_time, double current_time) override;
 
 private:
-
 	bool ReadHeader(bool useCached);
 	bool GetLine(string& str);
 
-	ifstream* file;
+	ifstream file;
 	time_t mtime;
 
 	// map columns in the file to columns to send back to the manager
@@ -64,7 +71,7 @@ private:
 	string empty_field;
 	string unset_field;
 
-	threading::formatter::Formatter* formatter;
+	std::unique_ptr<threading::formatter::Formatter> formatter;
 };
 
 
diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index 2aa7fa58c7..6b3bbe40f3 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -44,6 +44,8 @@ void Packet::Init(int arg_link_type, struct timeval *arg_ts, uint32 arg_caplen,
 	eth_type = 0;
 	vlan = 0;
 	inner_vlan = 0;
+	l2_src = 0;
+	l2_dst = 0;
 
 	l2_valid = false;
 
@@ -136,8 +138,12 @@ void Packet::ProcessLayer2()
 		{
 		// Get protocol being carried from the ethernet frame.
 		int protocol = (pdata[12] << 8) + pdata[13];
-		pdata += GetLinkHeaderSize(link_type);
+
 		eth_type = protocol;
+		l2_dst = pdata;
+		l2_src = pdata + 6;
+
+		pdata += GetLinkHeaderSize(link_type);
 
 		switch ( protocol )
 			{
@@ -261,33 +267,82 @@ void Packet::ProcessLayer2()
 			Weird("truncated_radiotap_header");
 			return;
 			}
+
 		// Skip over the RadioTap header
 		int rtheader_len = (pdata[3] << 8) + pdata[2];
+
 		if ( pdata + rtheader_len >= end_of_data )
 			{
 			Weird("truncated_radiotap_header");
 			return;
 			}
+
 		pdata += rtheader_len;
 
-		int type_80211 = pdata[0];
-		int len_80211 = 0;
-		if ( (type_80211 >> 4) & 0x04 )
-			{
-			//identified a null frame (we ignore for now).  no weird.
-			return;
-			}
-		// Look for the QoS indicator bit.
-		if ( (type_80211 >> 4) & 0x08 )
-			len_80211 = 26;
-		else
-			len_80211 = 24;
+		u_char len_80211 = 24; // minimal length of data frames
 
 		if ( pdata + len_80211 >= end_of_data )
 			{
 			Weird("truncated_radiotap_header");
 			return;
 			}
+
+		u_char fc_80211 = pdata[0]; // Frame Control field
+
+		// Skip non-data frame types (management & control).
+		if ( ! ((fc_80211 >> 2) & 0x02) )
+			return;
+
+		// Skip subtypes without data.
+		if ( (fc_80211 >> 4) & 0x04 )
+			return;
+
+		// 'To DS' and 'From DS' flags set indicate use of the 4th
+		// address field.
+		if ( (pdata[1] & 0x03) == 0x03 )
+			len_80211 += l2_addr_len;
+
+		// Look for the QoS indicator bit.
+		if ( (fc_80211 >> 4) & 0x08 )
+			{
+			// Skip in case of A-MSDU subframes indicated by QoS
+			// control field.
+			if ( pdata[len_80211] & 0x80)
+				return;
+
+			len_80211 += 2;
+			}
+
+		if ( pdata + len_80211 >= end_of_data )
+			{
+			Weird("truncated_radiotap_header");
+			return;
+			}
+
+		// Determine link-layer addresses based
+		// on 'To DS' and 'From DS' flags
+		switch ( pdata[1] & 0x03 ) {
+			case 0x00:
+				l2_src = pdata + 10;
+				l2_dst = pdata + 4;
+				break;
+
+			case 0x01:
+				l2_src = pdata + 10;
+				l2_dst = pdata + 16;
+				break;
+
+			case 0x02:
+				l2_src = pdata + 16;
+				l2_dst = pdata + 4;
+				break;
+
+			case 0x03:
+				l2_src = pdata + 24;
+				l2_dst = pdata + 16;
+				break;
+		}
+
 		// skip 802.11 data header
 		pdata += len_80211;
 
@@ -428,15 +483,6 @@ void Packet::ProcessLayer2()
 
 RecordVal* Packet::BuildPktHdrVal() const
 	{
-	static RecordType* l2_hdr_type = 0;
-	static RecordType* raw_pkt_hdr_type = 0;
-
-	if ( ! raw_pkt_hdr_type )
-		{
-		raw_pkt_hdr_type = internal_type("raw_pkt_hdr")->AsRecordType();
-		l2_hdr_type = internal_type("l2_hdr")->AsRecordType();
-		}
-
 	RecordVal* pkt_hdr = new RecordVal(raw_pkt_hdr_type);
 	RecordVal* l2_hdr = new RecordVal(l2_hdr_type);
 
diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h
index a96f14ebdd..5414e2ca0e 100644
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@@ -50,7 +50,8 @@ public:
 	 */
 	Packet(int link_type, struct timeval *ts, uint32 caplen,
 	       uint32 len, const u_char *data, int copy = false,
-	       std::string tag = std::string("")) : data(0)
+	       std::string tag = std::string(""))
+	           : data(0), l2_src(0), l2_dst(0)
 	       {
 	       Init(link_type, ts, caplen, len, data, copy, tag);
 	       }
@@ -58,7 +59,7 @@ public:
 	/**
 	 * Default constructor. For internal use only.
 	 */
-	Packet() : data(0)
+	Packet() : data(0), l2_src(0), l2_dst(0)
 		{
 		struct timeval ts = {0, 0};
 		Init(0, &ts, 0, 0, 0);
@@ -146,6 +147,11 @@ public:
 	 */
 	static Packet* Unserialize(UnserialInfo* info);
 
+	/**
+	 * Maximal length of a layer 2 address.
+	 */
+	static const int l2_addr_len = 6;
+
 	// These are passed in through the constructor.
 	std::string tag;		/// Used in serialization
 	double time;			/// Timestamp reconstituted as float
@@ -167,19 +173,30 @@ public:
 	 * Layer 3 protocol identified (if any). Valid iff Layer2Valid()
 	 * returns true.
 	 */
-	Layer3Proto l3_proto;		///
+	Layer3Proto l3_proto;
 
 	/**
 	 * If layer 2 is Ethernet, innermost ethertype field. Valid iff
 	 * Layer2Valid() returns true.
 	 */
-	uint32 eth_type;		///
+	uint32 eth_type;
+
+	/**
+	 * Layer 2 source address. Valid iff Layer2Valid() returns true.
+	 */
+	const u_char* l2_src;
+
+	/**
+	 * Layer 2 destination address. Valid iff Layer2Valid() returns
+	 * true.
+	 */
+	const u_char* l2_dst;
 
 	/**
 	 * (Outermost) VLAN tag if any, else 0. Valid iff Layer2Valid()
 	 * returns true.
 	 */
-	uint32 vlan;			///
+	uint32 vlan;
 
 	/**
 	 * (Innermost) VLAN tag if any, else 0. Valid iff Layer2Valid()
diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc
index 8db9db6ef1..a56ba90e86 100644
--- a/src/iosource/PktSrc.cc
+++ b/src/iosource/PktSrc.cc
@@ -31,6 +31,7 @@ PktSrc::PktSrc()
 
 	next_sync_point = 0;
 	first_timestamp = 0.0;
+	current_pseudo = 0.0;
 	first_wallclock = current_wallclock = 0;
 	}
 
@@ -91,7 +92,7 @@ void PktSrc::Opened(const Properties& arg_props)
 		{
 		char buf[512];
 		safe_snprintf(buf, sizeof(buf),
-			 "unknown data link type 0x%x", props.link_type);
+			 "unknown data link type 0x%x", arg_props.link_type);
 		Error(buf);
 		Close();
 		return;
@@ -289,6 +290,12 @@ bool PktSrc::ExtractNextPacketInternal()
 
 	if ( ExtractNextPacket(&current_packet) )
 		{
+		if ( current_packet.time < 0 )
+			{
+			Weird("negative_packet_timestamp", &current_packet);
+			return 0;
+			}
+
 		if ( ! first_timestamp )
 			first_timestamp = current_packet.time;
 
diff --git a/src/main.cc b/src/main.cc
index 73181c82f2..abe57330d5 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -754,7 +754,10 @@ int main(int argc, char** argv)
 
 #ifdef DEBUG
 	if ( debug_streams )
+		{
 		debug_logger.EnableStreams(debug_streams);
+		debug_logger.OpenDebugLog("debug");
+		}
 #endif
 
 	init_random_seed(seed, (seed_load_file && *seed_load_file ? seed_load_file : 0) , seed_save_file);
@@ -1172,8 +1175,8 @@ int main(int argc, char** argv)
 
 		double time_net_start = current_time(true);;
 
-		unsigned int mem_net_start_total;
-		unsigned int mem_net_start_malloced;
+		uint64 mem_net_start_total;
+		uint64 mem_net_start_malloced;
 
 		if ( time_bro )
 			{
@@ -1181,7 +1184,7 @@ int main(int argc, char** argv)
 
 			fprintf(stderr, "# initialization %.6f\n", time_net_start - time_start);
 
-			fprintf(stderr, "# initialization %uM/%uM\n",
+			fprintf(stderr, "# initialization %" PRIu64 "M/%" PRIu64 "M\n",
 				mem_net_start_total / 1024 / 1024,
 				mem_net_start_malloced / 1024 / 1024);
 			}
@@ -1190,8 +1193,8 @@ int main(int argc, char** argv)
 
 		double time_net_done = current_time(true);;
 
-		unsigned int mem_net_done_total;
-		unsigned int mem_net_done_malloced;
+		uint64 mem_net_done_total;
+		uint64 mem_net_done_malloced;
 
 		if ( time_bro )
 			{
@@ -1200,7 +1203,7 @@ int main(int argc, char** argv)
 			fprintf(stderr, "# total time %.6f, processing %.6f\n",
 				time_net_done - time_start, time_net_done - time_net_start);
 
-			fprintf(stderr, "# total mem %uM/%uM, processing %uM/%uM\n",
+			fprintf(stderr, "# total mem %" PRId64 "M/%" PRId64 "M, processing %" PRId64 "M/%" PRId64 "M\n",
 				mem_net_done_total / 1024 / 1024,
 				mem_net_done_malloced / 1024 / 1024,
 				(mem_net_done_total - mem_net_start_total) / 1024 / 1024,
diff --git a/src/modp_numtoa.c b/src/modp_numtoa.c
index 2024f7c55b..6475ad5fe6 100644
--- a/src/modp_numtoa.c
+++ b/src/modp_numtoa.c
@@ -287,5 +287,136 @@ void modp_dtoa2(double value, char* str, int prec)
     strreverse(str, wstr-1);
 }
 
+// This is near identical to modp_dtoa2 above, excep that it never uses
+// exponential notation and requires a buffer length.
+void modp_dtoa3(double value, char* str, int n, int prec)
+{
+    /* Hacky test for NaN
+     * under -fast-math this won't work, but then you also won't
+     * have correct nan values anyways.  The alternative is
+     * to link with libmath (bad) or hack IEEE double bits (bad)
+     */
+    if (! (value == value)) {
+        str[0] = 'n'; str[1] = 'a'; str[2] = 'n'; str[3] = '\0';
+        return;
+    }
+
+    /* if input is larger than thres_max, revert to exponential */
+    const double thres_max = (double)(0x7FFFFFFF);
+
+    int count;
+    double diff = 0.0;
+    char* wstr = str;
+
+    if (prec < 0) {
+        prec = 0;
+    } else if (prec > 9) {
+        /* precision of >= 10 can lead to overflow errors */
+        prec = 9;
+    }
+
+
+    /* we'll work in positive values and deal with the
+       negative sign issue later */
+    int neg = 0;
+    if (value < 0) {
+        neg = 1;
+        value = -value;
+    }
+
+
+    int whole = (int) value;
+    double tmp = (value - whole) * _pow10[prec];
+    uint32_t frac = (uint32_t)(tmp);
+    diff = tmp - frac;
+
+    if (diff > 0.5) {
+        ++frac;
+        /* handle rollover, e.g.  case 0.99 with prec 1 is 1.0  */
+        if (frac >= _pow10[prec]) {
+            frac = 0;
+            ++whole;
+        }
+    } else if (diff == 0.5 && ((frac == 0) || (frac & 1))) {
+        /* if halfway, round up if odd, OR
+           if last digit is 0.  That last part is strange */
+        ++frac;
+    }
+
+    /* for very large numbers switch back to native sprintf for exponentials.
+       anyone want to write code to replace this? */
+    /*
+      normal printf behavior is to print EVERY whole number digit
+      which can be 100s of characters overflowing your buffers == bad
+    */
+    if (value > thres_max) {
+        /* ---- Modified part, compared to modp_dtoa3. */
+        int i = snprintf(str, n, "%.*f", prec, neg ? -value : value);
+
+        if ( i < 0 || i >= n ) {
+        // Error or truncated output.
+            snprintf(str, n, "NAN");
+            return;
+            }
+
+        /* Remove trailing zeros. */
+
+        char* p;
+        for ( p = str + i - 1; p >= str && *p == '0'; --p );
+
+        if ( p >= str && *p == '.' )
+            --p;
+
+        *++p = '\0';
+        return;
+
+        /* ---- End of modified part.. */
+    }
+
+    if (prec == 0) {
+        diff = value - whole;
+        if (diff > 0.5) {
+            /* greater than 0.5, round up, e.g. 1.6 -> 2 */
+            ++whole;
+        } else if (diff == 0.5 && (whole & 1)) {
+            /* exactly 0.5 and ODD, then round up */
+            /* 1.5 -> 2, but 2.5 -> 2 */
+            ++whole;
+        }
+
+        //vvvvvvvvvvvvvvvvvvv  Diff from modp_dto2
+    } else if (frac) {
+        count = prec;
+        // now do fractional part, as an unsigned number
+        // we know it is not 0 but we can have leading zeros, these
+        // should be removed
+        while (!(frac % 10)) {
+            --count;
+            frac /= 10;
+        }
+        //^^^^^^^^^^^^^^^^^^^  Diff from modp_dto2
+
+        // now do fractional part, as an unsigned number
+        do {
+            --count;
+            *wstr++ = (char)(48 + (frac % 10));
+        } while (frac /= 10);
+        // add extra 0s
+        while (count-- > 0) *wstr++ = '0';
+        // add decimal
+        *wstr++ = '.';
+    }
+
+    // do whole part
+    // Take care of sign
+    // Conversion. Number is reversed.
+    do *wstr++ = (char)(48 + (whole % 10)); while (whole /= 10);
+    if (neg) {
+        *wstr++ = '-';
+    }
+    *wstr='\0';
+    strreverse(str, wstr-1);
+}
+
 
 
diff --git a/src/modp_numtoa.h b/src/modp_numtoa.h
index b848163d1d..6b41ba644d 100644
--- a/src/modp_numtoa.h
+++ b/src/modp_numtoa.h
@@ -97,6 +97,15 @@ void modp_dtoa(double value, char* buf, int precision);
  */
 void modp_dtoa2(double value, char* buf, int precision);
 
+/** \brief convert a floating point number to char buffer with a
+ *         variable-precision format, no trailing zeros, and no
+ *   	scientific notation.
+ *
+ *  Other than avoiding scientific notation, this is the same as mop_dtoa2. It does however
+ *  require the max buffer length. The buffer will always be null-terminated.
+ */
+void modp_dtoa3(double value, char* buf, int n, int precision);
+
 END_C
 
 #endif
diff --git a/src/nb_dns.c b/src/nb_dns.c
index 1e5d427924..35059ab4f0 100644
--- a/src/nb_dns.c
+++ b/src/nb_dns.c
@@ -389,7 +389,7 @@ nb_dns_addr_request2(register struct nb_dns_info *nd, char *addrp,
 
 	default:
 		snprintf(errstr, NB_DNS_ERRSIZE,
-		    "nb_dns_addr_request2(): uknown address family %d", af);
+		    "nb_dns_addr_request2(): unknown address family %d", af);
 		return (-1);
 	}
 
diff --git a/src/net_util.cc b/src/net_util.cc
index 95be1f8b0c..677a869cc5 100644
--- a/src/net_util.cc
+++ b/src/net_util.cc
@@ -148,21 +148,21 @@ const char* fmt_conn_id(const uint32* src_addr, uint32 src_port,
 	return fmt_conn_id(src, src_port, dst, dst_port);
 	}
 
-char* fmt_mac(const unsigned char* m, int len)
+std::string fmt_mac(const unsigned char* m, int len)
 	{
-	char* buf = new char[25];
+	static char buf[25];
 
-	if ( len < 8 )
+	if ( len < 8 && len != 6 )
 		{
 		*buf = '\0';
 		return buf;
 		}
 
-	if ( m[6] == 0 && m[7] == 0 ) // EUI-48
-		snprintf(buf, 19, "%02x:%02x:%02x:%02x:%02x:%02x",
+	if ( (len == 6) || (m[6] == 0 && m[7] == 0) ) // EUI-48
+		snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x",
 			 m[0], m[1], m[2], m[3], m[4], m[5]);
 	else
-		snprintf(buf, 25, "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
+		snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
 			 m[0], m[1], m[2], m[3], m[4], m[5], m[6], m[7]);
 
 	return buf;
diff --git a/src/net_util.h b/src/net_util.h
index ebdd0cbb88..52ee53f1dd 100644
--- a/src/net_util.h
+++ b/src/net_util.h
@@ -166,7 +166,7 @@ extern const char* fmt_conn_id(const uint32* src_addr, uint32 src_port,
 *            least 8 for a valid address.
 * @return A string of the formatted MAC. Passes ownership to caller.
 */
-extern char* fmt_mac(const unsigned char* m, int len);
+extern std::string fmt_mac(const unsigned char* m, int len);
 
 // Read 4 bytes from data and return in network order.
 extern uint32 extract_uint32(const u_char* data);
diff --git a/src/parse.y b/src/parse.y
index c67732835f..facd7e55ed 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -31,12 +31,12 @@
 
 %token TOK_NO_TEST
 
-%nonassoc TOK_HOOK
 %left ',' '|'
 %right '=' TOK_ADD_TO TOK_REMOVE_FROM
 %right '?' ':'
 %left TOK_OR
 %left TOK_AND
+%nonassoc TOK_HOOK
 %nonassoc '<' '>' TOK_LE TOK_GE TOK_EQ TOK_NE
 %left TOK_IN TOK_NOT_IN
 %left '+' '-'
@@ -1474,11 +1474,20 @@ event:
 		TOK_ID '(' opt_expr_list ')'
 			{
 			set_location(@1, @4);
-			$$ = new EventExpr($1, $3);
-			ID* id = lookup_ID($1, current_module.c_str());
 
-			if ( id && id->IsDeprecated() )
-				reporter->Warning("deprecated (%s)", id->Name());
+			ID* id = lookup_ID($1, current_module.c_str());
+			if ( id )
+				{
+				if ( ! id->IsGlobal() )
+					{
+					yyerror(fmt("local identifier \"%s\" cannot be used to reference an event", $1));
+					YYERROR;
+					}
+				if ( id->IsDeprecated() )
+					reporter->Warning("deprecated (%s)", id->Name());
+				}
+
+			$$ = new EventExpr($1, $3);
 			}
 	;
 
diff --git a/src/patricia.c b/src/patricia.c
index c4815b40ec..5ec6e2a27c 100644
--- a/src/patricia.c
+++ b/src/patricia.c
@@ -1,3 +1,8 @@
+/*
+ * Johanna Amann <johanna@icir.org>
+ *
+ * Added patricia_search_all function.
+ */
 /*
  * Dave Plonka <plonka@doit.wisc.edu>
  *
@@ -61,6 +66,7 @@ static char copyright[] =
 #include <string.h> /* memcpy, strchr, strlen */
 #include <arpa/inet.h> /* for inet_addr */
 #include <sys/types.h> /* for u_short, etc. */
+#include <stdbool.h>
 
 #include "patricia.h"
 
@@ -561,6 +567,107 @@ patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix)
     return (NULL);
 }
 
+bool
+patricia_search_all (patricia_tree_t *patricia, prefix_t *prefix, patricia_node_t ***list, int *n)
+{
+	patricia_node_t *node;
+	patricia_node_t *stack[PATRICIA_MAXBITS + 1];
+	u_char *addr;
+	u_int bitlen;
+	int cnt = 0;
+
+	assert (patricia);
+	assert (prefix);
+	assert (prefix->bitlen <= patricia->maxbits);
+	assert (n);
+	assert (list);
+	assert (*list == NULL);
+
+	*n = 0;
+
+	if (patricia->head == NULL)
+		return (NULL);
+
+	node = patricia->head;
+	addr = prefix_touchar (prefix);
+	bitlen = prefix->bitlen;
+
+	while (node->bit < bitlen) {
+
+	if (node->prefix) {
+#ifdef PATRICIA_DEBUG
+		fprintf (stderr, "patricia_search_all: push %s/%d\n",
+			prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+		stack[cnt++] = node;
+	}
+
+	if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
+#ifdef PATRICIA_DEBUG
+		if (node->prefix)
+			fprintf (stderr, "patricia_search_all: take right %s/%d\n",
+				prefix_toa (node->prefix), node->prefix->bitlen);
+			else
+			fprintf (stderr, "patricia_search_all: take right at %d\n",
+				node->bit);
+#endif /* PATRICIA_DEBUG */
+		node = node->r;
+	} else {
+#ifdef PATRICIA_DEBUG
+		if (node->prefix)
+			fprintf (stderr, "patricia_search_all: take left %s/%d\n",
+				prefix_toa (node->prefix), node->prefix->bitlen);
+			else
+				fprintf (stderr, "patricia_search_all: take left at %d\n",
+					node->bit);
+#endif /* PATRICIA_DEBUG */
+			node = node->l;
+	}
+
+	if (node == NULL)
+			break;
+	}
+
+	if (node && node->prefix)
+		stack[cnt++] = node;
+
+#ifdef PATRICIA_DEBUG
+		if (node == NULL)
+			fprintf (stderr, "patricia_search_all: stop at null\n");
+		else if (node->prefix)
+			fprintf (stderr, "patricia_search_all: stop at %s/%d\n",
+				prefix_toa (node->prefix), node->prefix->bitlen);
+		else
+			fprintf (stderr, "patricia_search_all: stop at %d\n", node->bit);
+#endif /* PATRICIA_DEBUG */
+
+	if (cnt <= 0)
+		return false;
+
+	// ok, now we have an upper bound of how much we can return. Let's just alloc that...
+	patricia_node_t **outlist = calloc(cnt, sizeof(patricia_node_t*));
+	if (outlist == NULL)
+		out_of_memory("patrica/patricia_search_all: unable to allocate memory");
+
+	while (--cnt >= 0) {
+		node = stack[cnt];
+#ifdef PATRICIA_DEBUG
+		fprintf (stderr, "patricia_search_all: pop %s/%d\n",
+			prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+		if (comp_with_mask (prefix_tochar (node->prefix), prefix_tochar (prefix), node->prefix->bitlen)) {
+#ifdef PATRICIA_DEBUG
+			fprintf (stderr, "patricia_search_all: found %s/%d\n",
+				prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+			outlist[*n] = node;
+			(*n)++;
+		}
+	}
+	*list = outlist;
+	return (*n == 0);
+}
+
 
 /* if inclusive != 0, "best" may be the given prefix itself */
 patricia_node_t *
diff --git a/src/patricia.h b/src/patricia.h
index dc67226362..3a9badd29a 100644
--- a/src/patricia.h
+++ b/src/patricia.h
@@ -104,6 +104,7 @@ typedef struct _patricia_tree_t {
 
 
 patricia_node_t *patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix);
+bool patricia_search_all (patricia_tree_t *patricia, prefix_t *prefix, patricia_node_t ***list, int *n);
 patricia_node_t *patricia_search_best (patricia_tree_t *patricia, prefix_t *prefix);
 patricia_node_t * patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, 
 				   int inclusive);
diff --git a/src/stats.bif b/src/stats.bif
new file mode 100644
index 0000000000..e901b5e777
--- /dev/null
+++ b/src/stats.bif
@@ -0,0 +1,422 @@
+
+%%{ // C segment
+#include "util.h"
+#include "threading/Manager.h"
+
+RecordType* ProcStats;
+RecordType* NetStats;
+RecordType* MatcherStats;
+RecordType* ReassemblerStats;
+RecordType* DNSStats;
+RecordType* ConnStats;
+RecordType* GapStats;
+RecordType* EventStats;
+RecordType* ThreadStats;
+RecordType* TimerStats;
+RecordType* FileAnalysisStats;
+%%}
+
+## Returns packet capture statistics. Statistics include the number of
+## packets *(i)* received by Bro, *(ii)* dropped, and *(iii)* seen on the
+## link (not always available).
+##
+## Returns: A record of packet statistics.
+##
+## .. bro:see:: get_conn_stats
+##              get_dns_stats
+##              get_event_stats
+##              get_file_analysis_stats
+##              get_gap_stats
+##              get_matcher_stats
+##              get_proc_stats
+##              get_reassembler_stats
+##              get_thread_stats
+##              get_timer_stats
+function get_net_stats%(%): NetStats
+	%{
+	uint64 recv = 0;
+	uint64 drop = 0;
+	uint64 link = 0;
+	uint64 bytes_recv = 0;
+
+	const iosource::Manager::PktSrcList& pkt_srcs(iosource_mgr->GetPktSrcs());
+
+	for ( iosource::Manager::PktSrcList::const_iterator i = pkt_srcs.begin();
+	      i != pkt_srcs.end(); i++ )
+		{
+		iosource::PktSrc* ps = *i;
+
+		struct iosource::PktSrc::Stats stat;
+		ps->Statistics(&stat);
+		recv += stat.received;
+		drop += stat.dropped;
+		link += stat.link;
+		bytes_recv += stat.bytes_received;
+		}
+
+	RecordVal* r = new RecordVal(NetStats);
+	int n = 0;
+
+	r->Assign(n++, new Val(recv, TYPE_COUNT));
+	r->Assign(n++, new Val(drop, TYPE_COUNT));
+	r->Assign(n++, new Val(link, TYPE_COUNT));
+	r->Assign(n++, new Val(bytes_recv, TYPE_COUNT));
+
+	return r;
+	%}
+
+## Returns Bro traffic statistics.
+##
+## Returns: A record with connection and packet statistics.
+##
+## .. bro:see:: get_dns_stats
+##              get_event_stats
+##              get_file_analysis_stats
+##              get_gap_stats
+##              get_matcher_stats
+##              get_net_stats
+##              get_proc_stats
+##              get_reassembler_stats
+##              get_thread_stats
+##              get_timer_stats
+function get_conn_stats%(%): ConnStats
+	%{
+	RecordVal* r = new RecordVal(ConnStats);
+	int n = 0;
+
+	r->Assign(n++, new Val(Connection::TotalConnections(), TYPE_COUNT));
+	r->Assign(n++, new Val(Connection::CurrentConnections(), TYPE_COUNT));
+	r->Assign(n++, new Val(Connection::CurrentExternalConnections(), TYPE_COUNT));
+	r->Assign(n++, new Val(sessions->CurrentConnections(), TYPE_COUNT));
+
+	SessionStats s;
+	if ( sessions )
+		sessions->GetStats(s);
+
+#define ADD_STAT(x) \
+	r->Assign(n++, new Val(unsigned(sessions ? x : 0), TYPE_COUNT));
+
+	ADD_STAT(s.num_packets);
+	ADD_STAT(s.num_fragments);
+	ADD_STAT(s.max_fragments);
+	ADD_STAT(s.num_TCP_conns);
+	ADD_STAT(s.max_TCP_conns);
+	ADD_STAT(s.cumulative_TCP_conns);
+	ADD_STAT(s.num_UDP_conns);
+	ADD_STAT(s.max_UDP_conns);
+	ADD_STAT(s.cumulative_UDP_conns);
+	ADD_STAT(s.num_ICMP_conns);
+	ADD_STAT(s.max_ICMP_conns);
+	ADD_STAT(s.cumulative_ICMP_conns);
+
+	r->Assign(n++, new Val(killed_by_inactivity, TYPE_COUNT));
+
+	return r;
+	%}
+
+## Returns Bro process statistics.
+##
+## Returns: A record with process statistics.
+##
+## .. bro:see:: get_conn_stats
+##              get_dns_stats
+##              get_event_stats
+##              get_file_analysis_stats
+##              get_gap_stats
+##              get_matcher_stats
+##              get_net_stats
+##              get_reassembler_stats
+##              get_thread_stats
+##              get_timer_stats
+function get_proc_stats%(%): ProcStats
+	%{
+	struct rusage ru;
+	if ( getrusage(RUSAGE_SELF, &ru) < 0 )
+		reporter->InternalError("getrusage() failed in get_proc_stats()");
+
+	RecordVal* r = new RecordVal(ProcStats);
+	int n = 0;
+
+	double elapsed_time = current_time() - bro_start_time;
+	double user_time =
+		double(ru.ru_utime.tv_sec) + double(ru.ru_utime.tv_usec) / 1e6;
+	double system_time =
+		double(ru.ru_stime.tv_sec) + double(ru.ru_stime.tv_usec) / 1e6;
+
+#ifdef DEBUG
+	r->Assign(n++, new Val(1, TYPE_COUNT));
+#else
+	r->Assign(n++, new Val(0, TYPE_COUNT));
+#endif
+
+	r->Assign(n++, new Val(bro_start_time, TYPE_TIME));
+
+	r->Assign(n++, new IntervalVal(elapsed_time, Seconds));
+	r->Assign(n++, new IntervalVal(user_time, Seconds));
+	r->Assign(n++, new IntervalVal(system_time, Seconds));
+
+	uint64 total_mem;
+	get_memory_usage(&total_mem, NULL);
+	r->Assign(n++, new Val(unsigned(total_mem), TYPE_COUNT));
+
+	r->Assign(n++, new Val(unsigned(ru.ru_minflt), TYPE_COUNT));
+	r->Assign(n++, new Val(unsigned(ru.ru_majflt), TYPE_COUNT));
+	r->Assign(n++, new Val(unsigned(ru.ru_nswap), TYPE_COUNT));
+	r->Assign(n++, new Val(unsigned(ru.ru_inblock), TYPE_COUNT));
+	r->Assign(n++, new Val(unsigned(ru.ru_oublock), TYPE_COUNT));
+	r->Assign(n++, new Val(unsigned(ru.ru_nivcsw), TYPE_COUNT));
+
+	return r;
+	%}
+
+## Returns statistics about the event engine.
+##
+## Returns: A record with event engine statistics.
+##
+## .. bro:see:: get_conn_stats
+##              get_dns_stats
+##              get_file_analysis_stats
+##              get_gap_stats
+##              get_matcher_stats
+##              get_net_stats
+##              get_proc_stats
+##              get_reassembler_stats
+##              get_thread_stats
+##              get_timer_stats
+function get_event_stats%(%): EventStats
+	%{
+	RecordVal* r = new RecordVal(EventStats);
+	int n = 0;
+
+	r->Assign(n++, new Val(num_events_queued, TYPE_COUNT));
+	r->Assign(n++, new Val(num_events_dispatched, TYPE_COUNT));
+
+	return r;
+	%}
+
+## Returns statistics about reassembler usage.
+##
+## Returns: A record with reassembler statistics.
+##
+## .. bro:see:: get_conn_stats
+##              get_dns_stats
+##              get_event_stats
+##              get_file_analysis_stats
+##              get_gap_stats
+##              get_matcher_stats
+##              get_net_stats
+##              get_proc_stats
+##              get_thread_stats
+##              get_timer_stats
+function get_reassembler_stats%(%): ReassemblerStats
+	%{
+	RecordVal* r = new RecordVal(ReassemblerStats);
+	int n = 0;
+
+	r->Assign(n++, new Val(Reassembler::MemoryAllocation(REASSEM_FILE), TYPE_COUNT));
+	r->Assign(n++, new Val(Reassembler::MemoryAllocation(REASSEM_FRAG), TYPE_COUNT));
+	r->Assign(n++, new Val(Reassembler::MemoryAllocation(REASSEM_TCP), TYPE_COUNT));
+	r->Assign(n++, new Val(Reassembler::MemoryAllocation(REASSEM_UNKNOWN), TYPE_COUNT));
+
+	return r;
+	%}
+
+## Returns statistics about DNS lookup activity.
+##
+## Returns: A record with DNS lookup statistics.
+##
+## .. bro:see:: get_conn_stats
+##              get_event_stats
+##              get_file_analysis_stats
+##              get_gap_stats
+##              get_matcher_stats
+##              get_net_stats
+##              get_proc_stats
+##              get_reassembler_stats
+##              get_thread_stats
+##              get_timer_stats
+function get_dns_stats%(%): DNSStats
+	%{
+	RecordVal* r = new RecordVal(DNSStats);
+	int n = 0;
+
+	DNS_Mgr::Stats dstats;
+	dns_mgr->GetStats(&dstats);
+
+	r->Assign(n++, new Val(unsigned(dstats.requests), TYPE_COUNT));
+	r->Assign(n++, new Val(unsigned(dstats.successful), TYPE_COUNT));
+	r->Assign(n++, new Val(unsigned(dstats.failed), TYPE_COUNT));
+	r->Assign(n++, new Val(unsigned(dstats.pending), TYPE_COUNT));
+	r->Assign(n++, new Val(unsigned(dstats.cached_hosts), TYPE_COUNT));
+	r->Assign(n++, new Val(unsigned(dstats.cached_addresses), TYPE_COUNT));
+
+	return r;
+	%}
+
+## Returns statistics about timer usage.
+##
+## Returns: A record with timer usage statistics.
+##
+## .. bro:see:: get_conn_stats
+##              get_dns_stats
+##              get_event_stats
+##              get_file_analysis_stats
+##              get_gap_stats
+##              get_matcher_stats
+##              get_net_stats
+##              get_proc_stats
+##              get_reassembler_stats
+##              get_thread_stats
+function get_timer_stats%(%): TimerStats
+	%{
+	RecordVal* r = new RecordVal(TimerStats);
+	int n = 0;
+
+	r->Assign(n++, new Val(unsigned(timer_mgr->Size()), TYPE_COUNT));
+	r->Assign(n++, new Val(unsigned(timer_mgr->PeakSize()), TYPE_COUNT));
+	r->Assign(n++, new Val(timer_mgr->CumulativeNum(), TYPE_COUNT));
+
+	return r;
+	%}
+
+## Returns statistics about file analysis.
+##
+## Returns: A record with file analysis statistics.
+##
+## .. bro:see:: get_conn_stats
+##              get_dns_stats
+##              get_event_stats
+##              get_gap_stats
+##              get_matcher_stats
+##              get_net_stats
+##              get_proc_stats
+##              get_reassembler_stats
+##              get_thread_stats
+##              get_timer_stats
+function get_file_analysis_stats%(%): FileAnalysisStats
+	%{
+	RecordVal* r = new RecordVal(FileAnalysisStats);
+	int n = 0;
+
+	r->Assign(n++, new Val(file_mgr->CurrentFiles(), TYPE_COUNT));
+	r->Assign(n++, new Val(file_mgr->MaxFiles(), TYPE_COUNT));
+	r->Assign(n++, new Val(file_mgr->CumulativeFiles(), TYPE_COUNT));
+
+	return r;
+	%}
+
+## Returns statistics about thread usage.
+##
+## Returns: A record with thread usage statistics.
+##
+## .. bro:see:: get_conn_stats
+##              get_dns_stats
+##              get_event_stats
+##              get_file_analysis_stats
+##              get_gap_stats
+##              get_matcher_stats
+##              get_net_stats
+##              get_proc_stats
+##              get_reassembler_stats
+##              get_timer_stats
+function get_thread_stats%(%): ThreadStats
+	%{
+	RecordVal* r = new RecordVal(ThreadStats);
+	int n = 0;
+
+	r->Assign(n++, new Val(thread_mgr->NumThreads(), TYPE_COUNT));
+
+	return r;
+	%}
+
+## Returns statistics about TCP gaps.
+##
+## Returns: A record with TCP gap statistics.
+##
+## .. bro:see:: get_conn_stats
+##              get_dns_stats
+##              get_event_stats
+##              get_file_analysis_stats
+##              get_matcher_stats
+##              get_net_stats
+##              get_proc_stats
+##              get_reassembler_stats
+##              get_thread_stats
+##              get_timer_stats
+function get_gap_stats%(%): GapStats
+	%{
+	RecordVal* r = new RecordVal(GapStats);
+	int n = 0;
+
+	r->Assign(n++, new Val(tot_ack_events, TYPE_COUNT));
+	r->Assign(n++, new Val(tot_ack_bytes, TYPE_COUNT));
+	r->Assign(n++, new Val(tot_gap_events, TYPE_COUNT));
+	r->Assign(n++, new Val(tot_gap_bytes, TYPE_COUNT));
+
+	return r;
+	%}
+
+## Returns statistics about the regular expression engine. Statistics include
+## the number of distinct matchers, DFA states, DFA state transitions, memory
+## usage of DFA states, cache hits/misses, and average number of NFA states
+## across all matchers.
+##
+## Returns: A record with matcher statistics.
+##
+## .. bro:see:: get_conn_stats
+##              get_dns_stats
+##              get_event_stats
+##              get_file_analysis_stats
+##              get_gap_stats
+##              get_net_stats
+##              get_proc_stats
+##              get_reassembler_stats
+##              get_thread_stats
+##              get_timer_stats
+function get_matcher_stats%(%): MatcherStats
+	%{
+	RecordVal* r = new RecordVal(MatcherStats);
+	int n = 0;
+
+	RuleMatcher::Stats s;
+	memset(&s, 0, sizeof(s));
+	if ( rule_matcher )
+		rule_matcher->GetStats(&s);
+
+	r->Assign(n++, new Val(s.matchers, TYPE_COUNT));
+	r->Assign(n++, new Val(s.nfa_states, TYPE_COUNT));
+	r->Assign(n++, new Val(s.dfa_states, TYPE_COUNT));
+	r->Assign(n++, new Val(s.computed, TYPE_COUNT));
+	r->Assign(n++, new Val(s.mem, TYPE_COUNT));
+	r->Assign(n++, new Val(s.hits, TYPE_COUNT));
+	r->Assign(n++, new Val(s.misses, TYPE_COUNT));
+
+	return r;
+	%}
+
+# function get_broker_stats%(%): BrokerStats
+# 	%{
+# 	RecordVal* r = new RecordVal(CommunicationStats);
+# 	int n = 0;
+#
+# #ifdef ENABLE_BROKER
+# 	auto cs = broker_mgr->ConsumeStatistics();
+#
+# 	r->Assign(n++, new Val(cs.outgoing_peer_count, TYPE_COUNT));
+# 	r->Assign(n++, new Val(cs.data_store_count, TYPE_COUNT));
+# 	r->Assign(n++, new Val(cs.pending_query_count, TYPE_COUNT));
+# 	r->Assign(n++, new Val(cs.response_count, TYPE_COUNT));
+# 	r->Assign(n++, new Val(cs.outgoing_conn_status_count, TYPE_COUNT));
+# 	r->Assign(n++, new Val(cs.incoming_conn_status_count, TYPE_COUNT));
+# 	r->Assign(n++, new Val(cs.report_count, TYPE_COUNT));
+#
+# 	//for ( const auto& s : cs.print_count )
+# 	//	file->Write(fmt("    %-25s prints dequeued=%zu\n", s.first.data(), s.second));
+# 	//for ( const auto& s : cs.event_count )
+# 	//	file->Write(fmt("    %-25s events dequeued=%zu\n", s.first.data(), s.second));
+# 	//for ( const auto& s : cs.log_count )
+# 	//	file->Write(fmt("    %-25s logs dequeued=%zu\n", s.first.data(), s.second));
+# #endif
+#
+# 	return r;
+# 	%}
diff --git a/src/strings.bif b/src/strings.bif
index ebee7d9cf7..914baaebbf 100644
--- a/src/strings.bif
+++ b/src/strings.bif
@@ -1161,7 +1161,9 @@ function find_all%(str: string, re: pattern%) : string_set
 		int n = re->MatchPrefix(t, e - t);
 		if ( n >= 0 )
 			{
-			a->Assign(new StringVal(n, (const char*) t), 0);
+			Val* idx = new StringVal(n, (const char*) t);
+			a->Assign(idx, 0);
+			Unref(idx);
 			t += n - 1;
 			}
 		}
diff --git a/src/threading/formatters/Ascii.cc b/src/threading/formatters/Ascii.cc
index 07ec05ca8b..f1cbac783f 100644
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -91,7 +91,7 @@ bool Ascii::Describe(ODesc* desc, threading::Value* val, const string& name) con
 		// Rendering via Add() truncates trailing 0s after the
 		// decimal point. The difference with TIME/INTERVAL is mainly
 		// to keep the log format consistent.
-		desc->Add(val->val.double_val);
+		desc->Add(val->val.double_val, true);
 		break;
 
 	case TYPE_INTERVAL:
diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc
index 3558baee5c..45c7be3e93 100644
--- a/src/threading/formatters/JSON.cc
+++ b/src/threading/formatters/JSON.cc
@@ -116,21 +116,28 @@ bool JSON::Describe(ODesc* desc, Value* val, const string& name) const
 				{
 				char buffer[40];
 				char buffer2[40];
-				time_t t = time_t(val->val.double_val);
+				time_t the_time = time_t(val->val.double_val);
+				struct tm t;
 
-				if ( strftime(buffer, sizeof(buffer), "%Y-%m-%dT%H:%M:%S", gmtime(&t)) > 0 )
+				desc->AddRaw("\"", 1);
+
+				if ( ! gmtime_r(&the_time, &t) ||
+				     ! strftime(buffer, sizeof(buffer), "%Y-%m-%dT%H:%M:%S", &t) )
+					{
+					GetThread()->Error(GetThread()->Fmt("json formatter: failure getting time: (%" PRIu64 ")", val->val.double_val));
+					// This was a failure, doesn't really matter what gets put here
+					// but it should probably stand out...
+					desc->Add("2000-01-01T00:00:00.000000");
+					}
+				else
 					{
 					double integ;
 					double frac = modf(val->val.double_val, &integ);
 					snprintf(buffer2, sizeof(buffer2), "%s.%06.0fZ", buffer, frac * 1000000);
-					desc->AddRaw("\"", 1);
 					desc->Add(buffer2);
-					desc->AddRaw("\"", 1);
 					}
 
-				else
-					GetThread()->Error(GetThread()->Fmt("strftime error for JSON: %" PRIu64));
-
+				desc->AddRaw("\"", 1);
 				}
 
 			else if ( timestamps == TS_EPOCH )
diff --git a/src/util.cc b/src/util.cc
index 6a03859a3c..e6015cc20a 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -14,6 +14,11 @@
 # endif
 #endif
 
+#ifdef HAVE_DARWIN
+#include <mach/task.h>
+#include <mach/mach_init.h>
+#endif
+
 #include <string>
 #include <vector>
 #include <algorithm>
@@ -323,24 +328,6 @@ string to_upper(const std::string& s)
 	return t;
 	}
 
-const char* strchr_n(const char* s, const char* end_of_s, char ch)
-	{
-	for ( ; s < end_of_s; ++s )
-		if ( *s == ch )
-			return s;
-
-	return 0;
-	}
-
-const char* strrchr_n(const char* s, const char* end_of_s, char ch)
-	{
-	for ( --end_of_s; end_of_s >= s; --end_of_s )
-		if ( *end_of_s == ch )
-			return end_of_s;
-
-	return 0;
-	}
-
 int decode_hex(char ch)
 	{
 	if ( ch >= '0' && ch <= '9' )
@@ -382,27 +369,6 @@ const char* strpbrk_n(size_t len, const char* s, const char* charset)
 	return 0;
 	}
 
-int strcasecmp_n(int b_len, const char* b, const char* t)
-	{
-	if ( ! b )
-		return -1;
-
-	int i;
-	for ( i = 0; i < b_len; ++i )
-		{
-		char c1 = islower(b[i]) ? toupper(b[i]) : b[i];
-		char c2 = islower(t[i]) ? toupper(t[i]) : t[i];
-
-		if ( c1 < c2 )
-			return -1;
-
-		if ( c1 > c2 )
-			return 1;
-		}
-
-	return t[i] != '\0';
-	}
-
 #ifndef HAVE_STRCASESTR
 // This code is derived from software contributed to BSD by Chris Torek.
 char* strcasestr(const char* s, const char* find)
@@ -421,7 +387,7 @@ char* strcasestr(const char* s, const char* find)
 				if ( sc == 0 )
 					return 0;
 			} while ( char(tolower((unsigned char) sc)) != c );
-		} while ( strcasecmp_n(len, s, find) != 0 );
+		} while ( strncasecmp(s, find, len) != 0 );
 
 		--s;
 		}
@@ -610,7 +576,14 @@ const char* fmt_access_time(double t)
 	{
 	static char buf[256];
 	time_t time = (time_t) t;
-	strftime(buf, sizeof(buf), "%d/%m-%H:%M", localtime(&time));
+	struct tm ts;
+
+	if ( ! localtime_r(&time, &ts) )
+		{
+		reporter->InternalError("unable to get time");
+		}
+
+	strftime(buf, sizeof(buf), "%d/%m-%H:%M", &ts);
 	return buf;
 	}
 
@@ -1650,23 +1623,35 @@ extern "C" void out_of_memory(const char* where)
 	abort();
 	}
 
-void get_memory_usage(unsigned int* total, unsigned int* malloced)
+void get_memory_usage(uint64* total, uint64* malloced)
 	{
-	unsigned int ret_total;
+	uint64 ret_total;
 
 #ifdef HAVE_MALLINFO
 	struct mallinfo mi = mallinfo();
 
 	if ( malloced )
 		*malloced = mi.uordblks;
-
 #endif
 
+#ifdef HAVE_DARWIN
+	struct mach_task_basic_info t_info;
+	mach_msg_type_number_t t_info_count = MACH_TASK_BASIC_INFO;
+
+	if ( KERN_SUCCESS != task_info(mach_task_self(),
+	                               MACH_TASK_BASIC_INFO,
+	                               (task_info_t)&t_info,
+	                               &t_info_count) )
+		ret_total = 0;
+	else
+		ret_total = t_info.resident_size;
+#else
 	struct rusage r;
 	getrusage(RUSAGE_SELF, &r);
 
 	// In KB.
 	ret_total = r.ru_maxrss * 1024;
+#endif
 
 	if ( total )
 		*total = ret_total;
diff --git a/src/util.h b/src/util.h
index 901bb44d1c..70095fba8d 100644
--- a/src/util.h
+++ b/src/util.h
@@ -143,11 +143,8 @@ extern char* get_word(char*& s);
 extern void get_word(int length, const char* s, int& pwlen, const char*& pw);
 extern void to_upper(char* s);
 extern std::string to_upper(const std::string& s);
-extern const char* strchr_n(const char* s, const char* end_of_s, char ch);
-extern const char* strrchr_n(const char* s, const char* end_of_s, char ch);
 extern int decode_hex(char ch);
 extern unsigned char encode_hex(int h);
-extern int strcasecmp_n(int s_len, const char* s, const char* t);
 #ifndef HAVE_STRCASESTR
 extern char* strcasestr(const char* s, const char* find);
 #endif
@@ -502,8 +499,7 @@ inline int safe_vsnprintf(char* str, size_t size, const char* format, va_list al
 
 // Returns total memory allocations and (if available) amount actually
 // handed out by malloc.
-extern void get_memory_usage(unsigned int* total,
-			     unsigned int* malloced);
+extern void get_memory_usage(uint64* total, uint64* malloced);
 
 // Class to be used as a third argument for STL maps to be able to use
 // char*'s as keys. Otherwise the pointer values will be compared instead of
diff --git a/testing/Makefile b/testing/Makefile
index 122262f865..e83ec09396 100644
--- a/testing/Makefile
+++ b/testing/Makefile
@@ -17,8 +17,8 @@ make-brief:
 
 coverage:
 	@for repo in $(DIRS); do (cd $$repo && echo "Coverage for '$$repo' dir:" && make -s coverage); done
-	@test -f btest/coverage.log && cp btest/coverage.log `mktemp brocov.tmp.XXX` || true
-	@for f in external/*/coverage.log; do test -f $$f && cp $$f `mktemp brocov.tmp.XXX` || true; done
+	@test -f btest/coverage.log && cp btest/coverage.log `mktemp brocov.tmp.XXXXXX` || true
+	@for f in external/*/coverage.log; do test -f $$f && cp $$f `mktemp brocov.tmp.XXXXXX` || true; done
 	@echo "Complete test suite code coverage:"
 	@./scripts/coverage-calc "brocov.tmp.*" coverage.log `pwd`/../scripts
 	@rm -f brocov.tmp.*
diff --git a/testing/btest/Baseline/bifs.check_subnet/output b/testing/btest/Baseline/bifs.check_subnet/output
new file mode 100644
index 0000000000..d2f111f555
--- /dev/null
+++ b/testing/btest/Baseline/bifs.check_subnet/output
@@ -0,0 +1,8 @@
+in says: 10.2.0.2/32 is member
+check_subnet says: 10.2.0.2/32 is no member
+in says: 10.2.0.2/31 is member
+check_subnet says: 10.2.0.2/31 is member
+in says: 10.0.0.0/9 is member
+check_subnet says: 10.0.0.0/9 is no member
+in says: 10.0.0.0/8 is member
+check_subnet says: 10.0.0.0/8 is member
diff --git a/testing/btest/Baseline/bifs.filter_subnet_table/output b/testing/btest/Baseline/bifs.filter_subnet_table/output
new file mode 100644
index 0000000000..d86ca621a5
--- /dev/null
+++ b/testing/btest/Baseline/bifs.filter_subnet_table/output
@@ -0,0 +1,20 @@
+{
+10.0.0.0/8,
+10.2.0.2/31,
+10.2.0.0/16
+}
+{
+[10.0.0.0/8] = a,
+[10.2.0.2/31] = c,
+[10.2.0.0/16] = b
+}
+{
+[10.0.0.0/8] = a,
+[10.3.0.0/16] = e
+}
+{
+
+}
+{
+
+}
diff --git a/testing/btest/Baseline/bifs.fmt/out b/testing/btest/Baseline/bifs.fmt/out
index 5f380c1b22..2572f924fb 100644
--- a/testing/btest/Baseline/bifs.fmt/out
+++ b/testing/btest/Baseline/bifs.fmt/out
@@ -45,11 +45,6 @@ test
 310
 310
 2
-1
 2
 2
-1
-2
-2
-1
 2
diff --git a/testing/btest/Baseline/bifs.get_current_packet_header/output b/testing/btest/Baseline/bifs.get_current_packet_header/output
new file mode 100644
index 0000000000..761a248077
--- /dev/null
+++ b/testing/btest/Baseline/bifs.get_current_packet_header/output
@@ -0,0 +1 @@
+[l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=00:00:00:00:00:00, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=34525, proto=L3_IPV6], ip=<uninitialized>, ip6=[class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::dead, dst=fe80::beef, exts=[]], tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=135]]
diff --git a/testing/btest/Baseline/bifs.haversine_distance/out b/testing/btest/Baseline/bifs.haversine_distance/out
new file mode 100644
index 0000000000..80707cf02e
--- /dev/null
+++ b/testing/btest/Baseline/bifs.haversine_distance/out
@@ -0,0 +1,7 @@
+5.8481e+03
+5.8481e+03
+1.9193e-02
+1.5136e-02
+9.2419e-01
+1.2437e+04
+1.2437e+04
diff --git a/testing/btest/Baseline/bifs.matching_subnets/output b/testing/btest/Baseline/bifs.matching_subnets/output
new file mode 100644
index 0000000000..e051d89b79
--- /dev/null
+++ b/testing/btest/Baseline/bifs.matching_subnets/output
@@ -0,0 +1,18 @@
+{
+10.0.0.0/8,
+10.3.0.0/16,
+10.2.0.2/31,
+2607:f8b0:4007:807::/64,
+10.2.0.0/16,
+5.2.0.0/32,
+5.5.0.0/25,
+10.1.0.0/16,
+5.0.0.0/8,
+2607:f8b0:4007:807::200e/128,
+7.2.0.0/32,
+2607:f8b0:4008:807::/64
+}
+[10.2.0.2/31, 10.2.0.0/16, 10.0.0.0/8]
+[2607:f8b0:4007:807::200e/128, 2607:f8b0:4007:807::/64]
+[]
+[10.0.0.0/8]
diff --git a/testing/btest/Baseline/bifs.subnet_to_addr/error b/testing/btest/Baseline/bifs.subnet_to_addr/error
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Baseline/bifs.subnet_to_addr/output b/testing/btest/Baseline/bifs.subnet_to_addr/output
new file mode 100644
index 0000000000..8c89b3920a
--- /dev/null
+++ b/testing/btest/Baseline/bifs.subnet_to_addr/output
@@ -0,0 +1,3 @@
+subnet_to_addr(0.0.0.0/32) = 0.0.0.0 (SUCCESS)
+subnet_to_addr(1.2.0.0/16) = 1.2.0.0 (SUCCESS)
+subnet_to_addr(2607:f8b0:4005:803::200e/128) = 2607:f8b0:4005:803::200e (SUCCESS)
diff --git a/testing/btest/Baseline/bifs.subnet_version/out b/testing/btest/Baseline/bifs.subnet_version/out
new file mode 100644
index 0000000000..328bff6687
--- /dev/null
+++ b/testing/btest/Baseline/bifs.subnet_version/out
@@ -0,0 +1,4 @@
+T
+F
+F
+T
diff --git a/testing/btest/Baseline/broker.clone_store/clone.clone.out b/testing/btest/Baseline/broker.clone_store/clone.clone.out
index 570f3f25ca..3db1dd4e00 100644
--- a/testing/btest/Baseline/broker.clone_store/clone.clone.out
+++ b/testing/btest/Baseline/broker.clone_store/clone.clone.out
@@ -1,5 +1,5 @@
-clone keys, [status=BrokerStore::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
-lookup, one, [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]]
-lookup, myset, [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup, two, [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]]
-lookup, myvec, [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
+clone keys, [status=Broker::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
+lookup, two, [status=Broker::SUCCESS, result=[d=broker::data{222}]]
+lookup, one, [status=Broker::SUCCESS, result=[d=broker::data{111}]]
+lookup, myvec, [status=Broker::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
+lookup, myset, [status=Broker::SUCCESS, result=[d=broker::data{{a, c, d}}]]
diff --git a/testing/btest/Baseline/broker.connection_updates/recv.recv.out b/testing/btest/Baseline/broker.connection_updates/recv.recv.out
index 714cbfbac4..d246bf153f 100644
--- a/testing/btest/Baseline/broker.connection_updates/recv.recv.out
+++ b/testing/btest/Baseline/broker.connection_updates/recv.recv.out
@@ -1,2 +1,2 @@
-BrokerComm::incoming_connection_established, connector
-BrokerComm::incoming_connection_broken, connector
+Broker::incoming_connection_established, connector
+Broker::incoming_connection_broken, connector
diff --git a/testing/btest/Baseline/broker.connection_updates/send.send.out b/testing/btest/Baseline/broker.connection_updates/send.send.out
index 61c988d1c8..205782c8f0 100644
--- a/testing/btest/Baseline/broker.connection_updates/send.send.out
+++ b/testing/btest/Baseline/broker.connection_updates/send.send.out
@@ -1 +1 @@
-BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp, listener
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp, listener
diff --git a/testing/btest/Baseline/broker.data/out b/testing/btest/Baseline/broker.data/out
index 628870144a..8703ca6a0c 100644
--- a/testing/btest/Baseline/broker.data/out
+++ b/testing/btest/Baseline/broker.data/out
@@ -1,18 +1,18 @@
-BrokerComm::BOOL
-BrokerComm::INT
-BrokerComm::COUNT
-BrokerComm::DOUBLE
-BrokerComm::STRING
-BrokerComm::ADDR
-BrokerComm::SUBNET
-BrokerComm::PORT
-BrokerComm::TIME
-BrokerComm::INTERVAL
-BrokerComm::ENUM
-BrokerComm::SET
-BrokerComm::TABLE
-BrokerComm::VECTOR
-BrokerComm::RECORD
+Broker::BOOL
+Broker::INT
+Broker::COUNT
+Broker::DOUBLE
+Broker::STRING
+Broker::ADDR
+Broker::SUBNET
+Broker::PORT
+Broker::TIME
+Broker::INTERVAL
+Broker::ENUM
+Broker::SET
+Broker::TABLE
+Broker::VECTOR
+Broker::RECORD
 ***************************
 T
 F
@@ -29,13 +29,22 @@ hello
 22/tcp
 42.0
 180.0
-BrokerComm::BOOL
-***************************
+Broker::BOOL
 {
 two,
 one,
 three
 }
+{
+[two] = 2,
+[one] = 1,
+[three] = 3
+}
+[zero, one, two]
+[a=<uninitialized>, b=bee, c=1]
+[a=test, b=bee, c=1]
+[a=test, b=testagain, c=1]
+***************************
 0
 T
 1
@@ -43,19 +52,20 @@ T
 F
 T
 2
+F
+2
 T
 1
 F
 {
 bye
 }
+T
 0
-***************************
 {
-[two] = 2,
-[one] = 1,
-[three] = 3
+
 }
+***************************
 0
 [d=<uninitialized>]
 1
@@ -69,8 +79,14 @@ F
 37
 [d=broker::data{42}]
 1
+[d=<uninitialized>]
+1
+T
+0
+{
+
+}
 ***************************
-[zero, one, two]
 0
 T
 T
@@ -85,10 +101,10 @@ T
 [d=broker::data{bah}]
 [hi, salutations, greetings]
 3
+T
+0
+[]
 ***************************
-[a=<uninitialized>, b=bee, c=1]
-[a=test, b=bee, c=1]
-[a=test, b=testagain, c=1]
 3
 T
 T
@@ -97,3 +113,6 @@ T
 [d=broker::data{hello}]
 [d=broker::data{37}]
 3
+T
+3
+[d=broker::data{goodbye}]
diff --git a/testing/btest/Baseline/broker.master_store/master.out b/testing/btest/Baseline/broker.master_store/master.out
index 4208503151..1983d0bccc 100644
--- a/testing/btest/Baseline/broker.master_store/master.out
+++ b/testing/btest/Baseline/broker.master_store/master.out
@@ -1,14 +1,14 @@
-lookup(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]]
-lookup(four): [status=BrokerStore::SUCCESS, result=[d=<uninitialized>]]
-lookup(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]]
-lookup(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
-exists(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]]
-exists(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
-exists(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]]
-exists(four): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
-pop_right(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{omega}]]
-pop_left(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{delta}]]
-keys: [status=BrokerStore::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
-size: [status=BrokerStore::SUCCESS, result=[d=broker::data{3}]]
-size (after clear): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
+lookup(two): [status=Broker::SUCCESS, result=[d=broker::data{222}]]
+lookup(myset): [status=Broker::SUCCESS, result=[d=broker::data{{a, c, d}}]]
+lookup(one): [status=Broker::SUCCESS, result=[d=broker::data{111}]]
+lookup(myvec): [status=Broker::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
+lookup(four): [status=Broker::SUCCESS, result=[d=<uninitialized>]]
+exists(two): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
+exists(myset): [status=Broker::SUCCESS, result=[d=broker::data{1}]]
+exists(one): [status=Broker::SUCCESS, result=[d=broker::data{1}]]
+exists(four): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
+pop_left(myvec): [status=Broker::SUCCESS, result=[d=broker::data{delta}]]
+pop_right(myvec): [status=Broker::SUCCESS, result=[d=broker::data{omega}]]
+keys: [status=Broker::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
+size: [status=Broker::SUCCESS, result=[d=broker::data{3}]]
+size (after clear): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
diff --git a/testing/btest/Baseline/broker.remote_event/send.send.out b/testing/btest/Baseline/broker.remote_event/send.send.out
index a29c1ecd1e..2d61135abe 100644
--- a/testing/btest/Baseline/broker.remote_event/send.send.out
+++ b/testing/btest/Baseline/broker.remote_event/send.send.out
@@ -1,4 +1,4 @@
-BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
 got event msg, pong, 0
 got auto event msg, ping, 0
 got event msg, pong, 1
diff --git a/testing/btest/Baseline/broker.remote_log/recv.recv.out b/testing/btest/Baseline/broker.remote_log/recv.recv.out
index ef9cb8402d..2f4a31df51 100644
--- a/testing/btest/Baseline/broker.remote_log/recv.recv.out
+++ b/testing/btest/Baseline/broker.remote_log/recv.recv.out
@@ -1,6 +1,6 @@
-wrote log, [msg=ping, num=0, nolog=no]
-wrote log, [msg=ping, num=1, nolog=no]
-wrote log, [msg=ping, num=2, nolog=no]
-wrote log, [msg=ping, num=3, nolog=no]
-wrote log, [msg=ping, num=4, nolog=no]
-wrote log, [msg=ping, num=5, nolog=no]
+wrote log, [msg=ping, nolog=no, num=0]
+wrote log, [msg=ping, nolog=no, num=1]
+wrote log, [msg=ping, nolog=no, num=2]
+wrote log, [msg=ping, nolog=no, num=3]
+wrote log, [msg=ping, nolog=no, num=4]
+wrote log, [msg=ping, nolog=no, num=5]
diff --git a/testing/btest/Baseline/broker.remote_log/send.send.out b/testing/btest/Baseline/broker.remote_log/send.send.out
index d97ef33af1..632279e697 100644
--- a/testing/btest/Baseline/broker.remote_log/send.send.out
+++ b/testing/btest/Baseline/broker.remote_log/send.send.out
@@ -1 +1 @@
-BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
diff --git a/testing/btest/Baseline/broker.remote_print/send.send.out b/testing/btest/Baseline/broker.remote_print/send.send.out
index 65d8ee79b7..861dd64a8a 100644
--- a/testing/btest/Baseline/broker.remote_print/send.send.out
+++ b/testing/btest/Baseline/broker.remote_print/send.send.out
@@ -1,4 +1,4 @@
-BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
 got print msg, pong 0
 got print msg, pong 1
 got print msg, pong 2
diff --git a/testing/btest/Baseline/core.ether-addrs/output b/testing/btest/Baseline/core.ether-addrs/output
new file mode 100644
index 0000000000..43595f3c1e
--- /dev/null
+++ b/testing/btest/Baseline/core.ether-addrs/output
@@ -0,0 +1,36 @@
+00:30:48:bd:3e:c4, 01:00:5e:00:00:fb
+00:17:f2:d7:cf:65, 33:33:00:00:00:fb
+00:17:f2:d7:cf:65, 01:00:5e:00:00:fb
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
+00:13:7f:be:8c:ff, 00:e0:db:01:cf:4b
+00:16:76:23:d9:e3, 01:00:5e:00:00:fb
+f0:4d:a2:47:ba:25, ff:ff:ff:ff:ff:ff
+f0:4d:a2:47:ba:25, 33:33:00:01:00:03
+f0:4d:a2:47:ba:25, 01:00:5e:00:00:fc
+f0:4d:a2:47:ba:25, 33:33:00:01:00:03
+f0:4d:a2:47:ba:25, 01:00:5e:00:00:fc
+00:23:32:b6:0c:46, ff:ff:ff:ff:ff:ff
+90:72:40:97:b6:f5, 44:2b:03:aa:ab:8d
+a4:67:06:f7:ec:54, 33:33:00:00:00:fb
diff --git a/testing/btest/Baseline/core.ipv6-frag/dns.log b/testing/btest/Baseline/core.ipv6-frag/dns.log
index 5eede0a0e4..06d9cb3024 100644
--- a/testing/btest/Baseline/core.ipv6-frag/dns.log
+++ b/testing/btest/Baseline/core.ipv6-frag/dns.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2014-04-24-20-25-19
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1331084278.438444	CXWv6p3arKYeMETxOg	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51850	2607:f740:b::f93	53	udp	3903	txtpadding_323.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
-1331084293.592245	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
-1331084298.593081	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	-	-	F	F	T	F	0	-	-	F
-#close	2014-04-24-20-25-20
+#open	2016-06-15-03-33-34
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1331084278.438444	CXWv6p3arKYeMETxOg	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51850	2607:f740:b::f93	53	udp	3903	0.079300	txtpadding_323.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
+1331084293.592245	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	5.084025	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
+1331084298.593081	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	-	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	-	-	F	F	T	F	0	-	-	F
+#close	2016-06-15-03-33-34
diff --git a/testing/btest/Baseline/core.ipv6_zero_len_ah/output b/testing/btest/Baseline/core.ipv6_zero_len_ah/output
index d8db6a4c48..585011acbe 100644
--- a/testing/btest/Baseline/core.ipv6_zero_len_ah/output
+++ b/testing/btest/Baseline/core.ipv6_zero_len_ah/output
@@ -1,2 +1,2 @@
 [orig_h=2000:1300::1, orig_p=128/icmp, resp_h=2000:1300::2, resp_p=129/icmp]
-[ip=<uninitialized>, ip6=[class=0, flow=0, len=166, nxt=51, hlim=255, src=2000:1300::1, dst=2000:1300::2, exts=[[id=51, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=[nxt=58, len=0, rsv=0, spi=0, seq=<uninitialized>, data=<uninitialized>], esp=<uninitialized>, mobility=<uninitialized>]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
+[ip=<uninitialized>, ip6=[class=0, flow=0, len=166, nxt=51, hlim=255, src=2000:1300::1, dst=2000:1300::2, exts=[[id=51, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=[nxt=58, len=0, rsv=0, spi=0, seq=<uninitialized>, data=<uninitialized>], esp=<uninitialized>, mobility=<uninitialized>]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=128]]
diff --git a/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out b/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
index 017537fea9..ef997abeb8 100644
--- a/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
+++ b/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
@@ -1,5 +1,5 @@
-clone keys, [status=BrokerStore::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
-lookup, one, [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]]
-lookup, two, [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]]
-lookup, myset, [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup, myvec, [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
+clone keys, [status=Broker::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
+lookup, one, [status=Broker::SUCCESS, result=[d=broker::data{111}]]
+lookup, two, [status=Broker::SUCCESS, result=[d=broker::data{222}]]
+lookup, myset, [status=Broker::SUCCESS, result=[d=broker::data{{a, c, d}}]]
+lookup, myvec, [status=Broker::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
diff --git a/testing/btest/Baseline/core.leaks.broker.data/bro..stdout b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
index 628870144a..8703ca6a0c 100644
--- a/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
+++ b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
@@ -1,18 +1,18 @@
-BrokerComm::BOOL
-BrokerComm::INT
-BrokerComm::COUNT
-BrokerComm::DOUBLE
-BrokerComm::STRING
-BrokerComm::ADDR
-BrokerComm::SUBNET
-BrokerComm::PORT
-BrokerComm::TIME
-BrokerComm::INTERVAL
-BrokerComm::ENUM
-BrokerComm::SET
-BrokerComm::TABLE
-BrokerComm::VECTOR
-BrokerComm::RECORD
+Broker::BOOL
+Broker::INT
+Broker::COUNT
+Broker::DOUBLE
+Broker::STRING
+Broker::ADDR
+Broker::SUBNET
+Broker::PORT
+Broker::TIME
+Broker::INTERVAL
+Broker::ENUM
+Broker::SET
+Broker::TABLE
+Broker::VECTOR
+Broker::RECORD
 ***************************
 T
 F
@@ -29,13 +29,22 @@ hello
 22/tcp
 42.0
 180.0
-BrokerComm::BOOL
-***************************
+Broker::BOOL
 {
 two,
 one,
 three
 }
+{
+[two] = 2,
+[one] = 1,
+[three] = 3
+}
+[zero, one, two]
+[a=<uninitialized>, b=bee, c=1]
+[a=test, b=bee, c=1]
+[a=test, b=testagain, c=1]
+***************************
 0
 T
 1
@@ -43,19 +52,20 @@ T
 F
 T
 2
+F
+2
 T
 1
 F
 {
 bye
 }
+T
 0
-***************************
 {
-[two] = 2,
-[one] = 1,
-[three] = 3
+
 }
+***************************
 0
 [d=<uninitialized>]
 1
@@ -69,8 +79,14 @@ F
 37
 [d=broker::data{42}]
 1
+[d=<uninitialized>]
+1
+T
+0
+{
+
+}
 ***************************
-[zero, one, two]
 0
 T
 T
@@ -85,10 +101,10 @@ T
 [d=broker::data{bah}]
 [hi, salutations, greetings]
 3
+T
+0
+[]
 ***************************
-[a=<uninitialized>, b=bee, c=1]
-[a=test, b=bee, c=1]
-[a=test, b=testagain, c=1]
 3
 T
 T
@@ -97,3 +113,6 @@ T
 [d=broker::data{hello}]
 [d=broker::data{37}]
 3
+T
+3
+[d=broker::data{goodbye}]
diff --git a/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout b/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
index 4208503151..9eebc797e5 100644
--- a/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
+++ b/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
@@ -1,14 +1,14 @@
-lookup(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]]
-lookup(four): [status=BrokerStore::SUCCESS, result=[d=<uninitialized>]]
-lookup(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]]
-lookup(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
-exists(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]]
-exists(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
-exists(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]]
-exists(four): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
-pop_right(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{omega}]]
-pop_left(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{delta}]]
-keys: [status=BrokerStore::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
-size: [status=BrokerStore::SUCCESS, result=[d=broker::data{3}]]
-size (after clear): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
+lookup(two): [status=Broker::SUCCESS, result=[d=broker::data{222}]]
+lookup(four): [status=Broker::SUCCESS, result=[d=<uninitialized>]]
+lookup(myset): [status=Broker::SUCCESS, result=[d=broker::data{{a, c, d}}]]
+lookup(one): [status=Broker::SUCCESS, result=[d=broker::data{111}]]
+lookup(myvec): [status=Broker::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
+exists(one): [status=Broker::SUCCESS, result=[d=broker::data{1}]]
+exists(two): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
+exists(myset): [status=Broker::SUCCESS, result=[d=broker::data{1}]]
+exists(four): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
+pop_right(myvec): [status=Broker::SUCCESS, result=[d=broker::data{omega}]]
+pop_left(myvec): [status=Broker::SUCCESS, result=[d=broker::data{delta}]]
+keys: [status=Broker::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
+size: [status=Broker::SUCCESS, result=[d=broker::data{3}]]
+size (after clear): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
index a29c1ecd1e..2d61135abe 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
@@ -1,4 +1,4 @@
-BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
 got event msg, pong, 0
 got auto event msg, ping, 0
 got event msg, pong, 1
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
index d97ef33af1..632279e697 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
@@ -1 +1 @@
-BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
index 65d8ee79b7..861dd64a8a 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
@@ -1,4 +1,4 @@
-BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
 got print msg, pong 0
 got print msg, pong 1
 got print msg, pong 2
diff --git a/testing/btest/Baseline/core.negative-time/weird.log b/testing/btest/Baseline/core.negative-time/weird.log
new file mode 100644
index 0000000000..6c88ea26ef
--- /dev/null
+++ b/testing/btest/Baseline/core.negative-time/weird.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2016-05-23-20-20-21
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1425182592.408334	-	-	-	-	-	negative_packet_timestamp	-	F	bro
+#close	2016-05-23-20-20-21
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2
index ac140925fc..3321684b43 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@@ -1,5 +1,6 @@
 2 1080
 1 137
+1 143
 1 1434
 1 161
 1 162
@@ -20,7 +21,9 @@
 1 5060
 1 5072
 1 514
+1 5222
 1 5223
+1 5269
 2 53
 1 5353
 1 5355
@@ -47,8 +50,8 @@
 1 992
 1 993
 1 995
-54 and
-53 or
-54 port
-36 tcp
+57 and
+56 or
+57 port
+39 tcp
 18 udp
diff --git a/testing/btest/Baseline/core.recursive-event/output b/testing/btest/Baseline/core.recursive-event/output
new file mode 100644
index 0000000000..f599e28b8a
--- /dev/null
+++ b/testing/btest/Baseline/core.recursive-event/output
@@ -0,0 +1 @@
+10
diff --git a/testing/btest/Baseline/core.tcp.fin-retransmit/out b/testing/btest/Baseline/core.tcp.fin-retransmit/out
index 8afb8222c9..70b6740bb8 100644
--- a/testing/btest/Baseline/core.tcp.fin-retransmit/out
+++ b/testing/btest/Baseline/core.tcp.fin-retransmit/out
@@ -1,2 +1,2 @@
-[size=0, state=5, num_pkts=3, num_bytes_ip=156, flow_label=0]
-[size=0, state=6, num_pkts=2, num_bytes_ip=92, flow_label=0]
+[size=0, state=5, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:1f:aa:34:18:bc]
+[size=0, state=6, num_pkts=2, num_bytes_ip=92, flow_label=0, l2_addr=c4:71:fe:3a:5d:c2]
diff --git a/testing/btest/Baseline/core.tcp.rst-after-syn/.stdout b/testing/btest/Baseline/core.tcp.rst-after-syn/.stdout
index 25ed566cd0..dbc1512f2b 100644
--- a/testing/btest/Baseline/core.tcp.rst-after-syn/.stdout
+++ b/testing/btest/Baseline/core.tcp.rst-after-syn/.stdout
@@ -1,3 +1,3 @@
 [orig_h=1.2.0.2, orig_p=2527/tcp, resp_h=1.2.0.3, resp_p=6649/tcp]
-orig:, [size=175, state=1, num_pkts=4, num_bytes_ip=395, flow_label=0]
-resp:, [size=0, state=6, num_pkts=5, num_bytes_ip=236, flow_label=0]
+orig:, [size=175, state=1, num_pkts=4, num_bytes_ip=395, flow_label=0, l2_addr=00:15:17:0b:7c:61]
+resp:, [size=0, state=6, num_pkts=5, num_bytes_ip=236, flow_label=0, l2_addr=00:00:00:00:00:04]
diff --git a/testing/btest/Baseline/core.tunnels.ayiya/http.log b/testing/btest/Baseline/core.tunnels.ayiya/http.log
index 4a61a29109..c14a9ace75 100644
--- a/testing/btest/Baseline/core.tunnels.ayiya/http.log
+++ b/testing/btest/Baseline/core.tunnels.ayiya/http.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-40-13
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1257655301.652206	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	1	GET	ipv6.google.com	/	-	1.1	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	10102	200	OK	-	-	-	(empty)	-	-	-	-	-	FYAtjT24MvCBUs5K5f	text/html
-1257655302.514424	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	2	GET	ipv6.google.com	/csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645	http://ipv6.google.com/	1.1	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	-	(empty)	-	-	-	-	-	-	-
-1257655303.603569	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	3	GET	ipv6.google.com	/gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600	http://ipv6.google.com/	1.1	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2016-01-15-18-40-13
+#open	2016-06-15-05-35-59
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1257655301.652206	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	1	GET	ipv6.google.com	/	-	1.1	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	10102	200	OK	-	-	(empty)	-	-	-	-	-	-	FYAtjT24MvCBUs5K5f	-	text/html
+1257655302.514424	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	2	GET	ipv6.google.com	/csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645	http://ipv6.google.com/	1.1	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1257655303.603569	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	3	GET	ipv6.google.com	/gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600	http://ipv6.google.com/	1.1	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	(empty)	-	-	-	-	-	-	-	-	-
+#close	2016-06-15-05-35-59
diff --git a/testing/btest/Baseline/core.tunnels.gre/dns.log b/testing/btest/Baseline/core.tunnels.gre/dns.log
index 2b8b9fc6ab..d87c7498f3 100644
--- a/testing/btest/Baseline/core.tunnels.gre/dns.log
+++ b/testing/btest/Baseline/core.tunnels.gre/dns.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2014-01-16-21-51-12
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1055289987.055189	CRJuHdVW0XPVINV8a	66.59.111.190	37675	172.28.2.3	53	udp	48554	www.gleeble.org	1	C_INTERNET	255	*	-	-	F	F	T	F	0	-	-	F
-1055289992.056330	CRJuHdVW0XPVINV8a	66.59.111.190	37675	172.28.2.3	53	udp	48554	www.gleeble.org	1	C_INTERNET	255	*	-	-	F	F	T	F	0	-	-	F
-#close	2014-01-16-21-51-12
+#open	2016-06-15-03-34-43
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1055289987.055189	CRJuHdVW0XPVINV8a	66.59.111.190	37675	172.28.2.3	53	udp	48554	-	www.gleeble.org	1	C_INTERNET	255	*	-	-	F	F	T	F	0	-	-	F
+1055289992.056330	CRJuHdVW0XPVINV8a	66.59.111.190	37675	172.28.2.3	53	udp	48554	-	www.gleeble.org	1	C_INTERNET	255	*	-	-	F	F	T	F	0	-	-	F
+#close	2016-06-15-03-34-43
diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log
index 9abfc1cf1f..a6013a15ae 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-40-14
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1333458850.340368	CjhGID4nQcgTWjvg4c	10.131.17.170	51803	173.199.115.168	80	1	GET	cdn.epicgameads.com	/ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879	http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296	1.1	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)	0	31461	200	OK	-	-	-	(empty)	-	-	-	-	-	FHKKd91EMHBEK0hbdg	application/x-shockwave-flash
-1333458850.399501	CjhGID4nQcgTWjvg4c	10.131.17.170	51803	173.199.115.168	80	2	GET	cdn.epicgameads.com	/ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881	http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207	1.1	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)	0	31461	200	OK	-	-	-	(empty)	-	-	-	-	-	Fu64Vqjy6nBop9nRd	application/x-shockwave-flash
-#close	2016-01-15-18-40-14
+#open	2016-06-15-05-35-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1333458850.340368	CjhGID4nQcgTWjvg4c	10.131.17.170	51803	173.199.115.168	80	1	GET	cdn.epicgameads.com	/ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879	http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296	1.1	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)	0	31461	200	OK	-	-	(empty)	-	-	-	-	-	-	FHKKd91EMHBEK0hbdg	-	application/x-shockwave-flash
+1333458850.399501	CjhGID4nQcgTWjvg4c	10.131.17.170	51803	173.199.115.168	80	2	GET	cdn.epicgameads.com	/ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881	http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207	1.1	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)	0	31461	200	OK	-	-	(empty)	-	-	-	-	-	-	Fu64Vqjy6nBop9nRd	-	application/x-shockwave-flash
+#close	2016-06-15-05-35-27
diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log
index d1b3b53389..1ab324bf0a 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2013-08-26-19-35-00
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1333458871.219794	CXWv6p3arKYeMETxOg	10.131.24.6	2152	195.178.38.3	53	udp	27595	abcd.efg.hijklm.nm	1	C_INTERNET	1	A	-	-	F	F	T	F	0	-	-	F
-#close	2013-08-26-19-35-00
+#open	2016-06-15-04-11-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1333458871.219794	CXWv6p3arKYeMETxOg	10.131.24.6	2152	195.178.38.3	53	udp	27595	-	abcd.efg.hijklm.nm	1	C_INTERNET	1	A	-	-	F	F	T	F	0	-	-	F
+#close	2016-06-15-04-11-36
diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
index b10f29db63..542ee9e515 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-40-15
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1333458850.375568	CjhGID4nQcgTWjvg4c	10.131.47.185	1923	79.101.110.141	80	1	GET	o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com	/videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1	http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf	1.1	Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11	0	56320	206	Partial Content	-	-	-	(empty)	-	-	-	-	-	FNJkBA1b8FSHt5N8jl	-
-#close	2016-01-15-18-40-15
+#open	2016-06-15-05-36-15
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1333458850.375568	CjhGID4nQcgTWjvg4c	10.131.47.185	1923	79.101.110.141	80	1	GET	o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com	/videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1	http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf	1.1	Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11	0	56320	206	Partial Content	-	-	(empty)	-	-	-	-	-	-	FNJkBA1b8FSHt5N8jl	-	-
+#close	2016-06-15-05-36-15
diff --git a/testing/btest/Baseline/core.tunnels.teredo/http.log b/testing/btest/Baseline/core.tunnels.teredo/http.log
index 66268903ea..b05a712c65 100644
--- a/testing/btest/Baseline/core.tunnels.teredo/http.log
+++ b/testing/btest/Baseline/core.tunnels.teredo/http.log
@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-40-16
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1210953057.917183	C7XEbhP654jzLoe3a	192.168.2.16	1578	75.126.203.78	80	1	POST	download913.avast.com	/cgi-bin/iavs4stats.cgi	-	1.1	Syncer/4.80 (av_pro-1169;f)	589	0	204	<empty>	-	-	-	(empty)	-	-	-	Fp32SIJztq0Szn5Qc	text/plain	-	-
-1210953061.585996	CwSkQu4eWZCH7OONC1	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	1	GET	ipv6.google.com	/	-	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	6640	200	OK	-	-	-	(empty)	-	-	-	-	-	FNFYdH11h5iQcoD3a2	text/html
-1210953073.381474	CwSkQu4eWZCH7OONC1	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	2	GET	ipv6.google.com	/search?hl=en&q=Wireshark+!&btnG=Google+Search	http://ipv6.google.com/	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	25119	200	OK	-	-	-	(empty)	-	-	-	-	-	FHD5nv1iSVFZVM0aH7	text/html
-1210953074.674817	Cab0vO1xNYSS2hJkle	192.168.2.16	1580	67.228.110.120	80	1	GET	www.wireshark.org	/	http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	11845	200	OK	-	-	-	(empty)	-	-	-	-	-	FS7lUf2cJFAVBCu6w6	text/html
-#close	2016-01-15-18-40-16
+#open	2016-06-15-05-36-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1210953057.917183	C7XEbhP654jzLoe3a	192.168.2.16	1578	75.126.203.78	80	1	POST	download913.avast.com	/cgi-bin/iavs4stats.cgi	-	1.1	Syncer/4.80 (av_pro-1169;f)	589	0	204	<empty>	-	-	(empty)	-	-	-	Fp32SIJztq0Szn5Qc	-	text/plain	-	-	-
+1210953061.585996	CwSkQu4eWZCH7OONC1	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	1	GET	ipv6.google.com	/	-	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	6640	200	OK	-	-	(empty)	-	-	-	-	-	-	FNFYdH11h5iQcoD3a2	-	text/html
+1210953073.381474	CwSkQu4eWZCH7OONC1	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	2	GET	ipv6.google.com	/search?hl=en&q=Wireshark+!&btnG=Google+Search	http://ipv6.google.com/	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	25119	200	OK	-	-	(empty)	-	-	-	-	-	-	FHD5nv1iSVFZVM0aH7	-	text/html
+1210953074.674817	Cab0vO1xNYSS2hJkle	192.168.2.16	1580	67.228.110.120	80	1	GET	www.wireshark.org	/	http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	11845	200	OK	-	-	(empty)	-	-	-	-	-	-	FS7lUf2cJFAVBCu6w6	-	text/html
+#close	2016-06-15-05-36-31
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log
index 00a710a5b0..d48a2482df 100644
--- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-40-17
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1340127577.361683	C6pKV8GSxOnSLghOa	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	1	GET	ipv6.google.com	/	-	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	6640	200	OK	-	-	-	(empty)	-	-	-	-	-	FWSTWv4EZLVlc2Zywi	text/html
-1340127577.379360	C6pKV8GSxOnSLghOa	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	2	GET	ipv6.google.com	/search?hl=en&q=Wireshark+!&btnG=Google+Search	http://ipv6.google.com/	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	25119	200	OK	-	-	-	(empty)	-	-	-	-	-	FGKV3B3jz083xhGO13	text/html
-#close	2016-01-15-18-40-17
+#open	2016-06-15-05-36-42
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1340127577.361683	C6pKV8GSxOnSLghOa	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	1	GET	ipv6.google.com	/	-	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	6640	200	OK	-	-	(empty)	-	-	-	-	-	-	FWSTWv4EZLVlc2Zywi	-	text/html
+1340127577.379360	C6pKV8GSxOnSLghOa	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	2	GET	ipv6.google.com	/search?hl=en&q=Wireshark+!&btnG=Google+Search	http://ipv6.google.com/	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	25119	200	OK	-	-	(empty)	-	-	-	-	-	-	FGKV3B3jz083xhGO13	-	text/html
+#close	2016-06-15-05-36-42
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 4d1f2037a4..05b7adcd11 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2015-08-31-04-50-43
+#open	2016-05-02-20-39-26
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -17,6 +17,11 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/event.bif.bro
   scripts/base/frameworks/broker/__load__.bro
     scripts/base/frameworks/broker/main.bro
+      build/scripts/base/bif/comm.bif.bro
+      build/scripts/base/bif/messaging.bif.bro
+    scripts/base/frameworks/broker/store.bro
+      build/scripts/base/bif/data.bif.bro
+      build/scripts/base/bif/store.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -45,15 +50,12 @@ scripts/base/init-bare.bro
         scripts/base/utils/patterns.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
+    build/scripts/base/bif/stats.bif.bro
     build/scripts/base/bif/broxygen.bif.bro
     build/scripts/base/bif/functions.bif.bro
     build/scripts/base/bif/bloom-filter.bif.bro
     build/scripts/base/bif/cardinality-counter.bif.bro
     build/scripts/base/bif/top-k.bif.bro
-    build/scripts/base/bif/comm.bif.bro
-    build/scripts/base/bif/data.bif.bro
-    build/scripts/base/bif/messaging.bif.bro
-    build/scripts/base/bif/store.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
@@ -75,6 +77,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro
     build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_KRB.events.bif.bro
@@ -92,6 +95,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RDP.types.bif.bro
+    build/scripts/base/bif/plugins/Bro_RFB.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SIP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro
@@ -108,7 +112,9 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro
@@ -128,4 +134,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2015-08-31-04-50-43
+#close	2016-05-02-20-39-26
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index dcb3ce4b03..477b4cc1b3 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-06-15-14-17-00
+#open	2016-06-07-19-22-42
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -17,6 +17,11 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/event.bif.bro
   scripts/base/frameworks/broker/__load__.bro
     scripts/base/frameworks/broker/main.bro
+      build/scripts/base/bif/comm.bif.bro
+      build/scripts/base/bif/messaging.bif.bro
+    scripts/base/frameworks/broker/store.bro
+      build/scripts/base/bif/data.bif.bro
+      build/scripts/base/bif/store.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -45,15 +50,12 @@ scripts/base/init-bare.bro
         scripts/base/utils/patterns.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
+    build/scripts/base/bif/stats.bif.bro
     build/scripts/base/bif/broxygen.bif.bro
     build/scripts/base/bif/functions.bif.bro
     build/scripts/base/bif/bloom-filter.bif.bro
     build/scripts/base/bif/cardinality-counter.bif.bro
     build/scripts/base/bif/top-k.bif.bro
-    build/scripts/base/bif/comm.bif.bro
-    build/scripts/base/bif/data.bif.bro
-    build/scripts/base/bif/messaging.bif.bro
-    build/scripts/base/bif/store.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
@@ -75,6 +77,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro
     build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_KRB.events.bif.bro
@@ -92,6 +95,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RDP.types.bif.bro
+    build/scripts/base/bif/plugins/Bro_RFB.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SIP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro
@@ -108,7 +112,9 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro
@@ -138,6 +144,7 @@ scripts/base/init-default.bro
   scripts/base/utils/directions-and-hosts.bro
   scripts/base/utils/email.bro
   scripts/base/utils/files.bro
+  scripts/base/utils/geoip-distance.bro
   scripts/base/utils/numbers.bro
   scripts/base/utils/queue.bro
   scripts/base/utils/strings.bro
@@ -189,6 +196,30 @@ scripts/base/init-default.bro
     scripts/base/frameworks/sumstats/non-cluster.bro
   scripts/base/frameworks/tunnels/__load__.bro
     scripts/base/frameworks/tunnels/main.bro
+  scripts/base/frameworks/openflow/__load__.bro
+    scripts/base/frameworks/openflow/consts.bro
+    scripts/base/frameworks/openflow/types.bro
+    scripts/base/frameworks/openflow/main.bro
+    scripts/base/frameworks/openflow/plugins/__load__.bro
+      scripts/base/frameworks/openflow/plugins/ryu.bro
+        scripts/base/utils/json.bro
+      scripts/base/frameworks/openflow/plugins/log.bro
+      scripts/base/frameworks/openflow/plugins/broker.bro
+    scripts/base/frameworks/openflow/non-cluster.bro
+  scripts/base/frameworks/netcontrol/__load__.bro
+    scripts/base/frameworks/netcontrol/types.bro
+    scripts/base/frameworks/netcontrol/main.bro
+      scripts/base/frameworks/netcontrol/plugin.bro
+    scripts/base/frameworks/netcontrol/plugins/__load__.bro
+      scripts/base/frameworks/netcontrol/plugins/debug.bro
+      scripts/base/frameworks/netcontrol/plugins/openflow.bro
+      scripts/base/frameworks/netcontrol/plugins/packetfilter.bro
+      scripts/base/frameworks/netcontrol/plugins/broker.bro
+      scripts/base/frameworks/netcontrol/plugins/acld.bro
+    scripts/base/frameworks/netcontrol/drop.bro
+    scripts/base/frameworks/netcontrol/shunt.bro
+    scripts/base/frameworks/netcontrol/catch-and-release.bro
+    scripts/base/frameworks/netcontrol/non-cluster.bro
   scripts/base/protocols/conn/__load__.bro
     scripts/base/protocols/conn/main.bro
     scripts/base/protocols/conn/contents.bro
@@ -226,6 +257,8 @@ scripts/base/init-default.bro
     scripts/base/protocols/http/entities.bro
     scripts/base/protocols/http/utils.bro
     scripts/base/protocols/http/files.bro
+  scripts/base/protocols/imap/__load__.bro
+    scripts/base/protocols/imap/main.bro
   scripts/base/protocols/irc/__load__.bro
     scripts/base/protocols/irc/main.bro
     scripts/base/protocols/irc/dcc-send.bro
@@ -247,6 +280,8 @@ scripts/base/init-default.bro
   scripts/base/protocols/rdp/__load__.bro
     scripts/base/protocols/rdp/consts.bro
     scripts/base/protocols/rdp/main.bro
+  scripts/base/protocols/rfb/__load__.bro
+    scripts/base/protocols/rfb/main.bro
   scripts/base/protocols/sip/__load__.bro
     scripts/base/protocols/sip/main.bro
   scripts/base/protocols/snmp/__load__.bro
@@ -264,6 +299,8 @@ scripts/base/init-default.bro
     scripts/base/protocols/syslog/consts.bro
     scripts/base/protocols/syslog/main.bro
   scripts/base/protocols/tunnels/__load__.bro
+  scripts/base/protocols/xmpp/__load__.bro
+    scripts/base/protocols/xmpp/main.bro
   scripts/base/files/pe/__load__.bro
     scripts/base/files/pe/consts.bro
     scripts/base/files/pe/main.bro
@@ -274,4 +311,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2016-06-15-14-17-01
+#close	2016-06-07-19-22-42
diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out
index 3deca99848..9619ebb4b9 100644
--- a/testing/btest/Baseline/coverage.find-bro-logs/out
+++ b/testing/btest/Baseline/coverage.find-bro-logs/out
@@ -23,13 +23,18 @@ loaded_scripts
 modbus
 modbus_register_change
 mysql
+net_control
+netcontrol_drop
+netcontrol_shunt
 notice
 notice_alarm
+open_flow
 packet_filter
 pe
 radius
 rdp
 reporter
+rfb
 signatures
 sip
 smtp
diff --git a/testing/btest/Baseline/coverage.init-default/missing_loads b/testing/btest/Baseline/coverage.init-default/missing_loads
index b5fbf644d5..826ca4af87 100644
--- a/testing/btest/Baseline/coverage.init-default/missing_loads
+++ b/testing/btest/Baseline/coverage.init-default/missing_loads
@@ -3,6 +3,8 @@
 -./frameworks/cluster/nodes/worker.bro
 -./frameworks/cluster/setup-connections.bro
 -./frameworks/intel/cluster.bro
+-./frameworks/netcontrol/cluster.bro
 -./frameworks/notice/cluster.bro
+-./frameworks/openflow/cluster.bro
 -./frameworks/packet-filter/cluster.bro
 -./frameworks/sumstats/cluster.bro
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1 b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
index 1793fc274c..8a4484ba07 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
@@ -5,7 +5,7 @@
       :emphasize-lines: 1,1
 
       # bro -b -r http/get.trace connection_record_01.bro
-      [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={
+      [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
       
       }, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
       
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1 b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
index 398fe5db94..190d8f0298 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
@@ -5,13 +5,13 @@
       :emphasize-lines: 1,1
 
       # bro -b -r http/get.trace connection_record_02.bro
-      [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={
+      [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
       
       }, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
       
-      }], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={
+      }], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={
       
-      }, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
+      }, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
       
       }, current_request=1, current_response=1, trans_depth=1]]
 
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output
index 042b8999f3..c4cbde045c 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output
@@ -4,19 +4,19 @@ connecting-connector.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
+	print "Broker::outgoing_connection_established",
 		  peer_address, peer_port, peer_name;
 	terminate();
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output
index 33e3df2330..8ea85569c9 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output
@@ -4,21 +4,21 @@ connecting-listener.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
-event BrokerComm::incoming_connection_broken(peer_name: string)
+event Broker::incoming_connection_broken(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_broken", peer_name;
+	print "Broker::incoming_connection_broken", peer_name;
 	terminate();
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
index fe97fdb4ce..d7a0e64be2 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
@@ -4,31 +4,31 @@ events-connector.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
-	BrokerComm::auto_event("bro/event/my_auto_event", my_auto_event);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::auto_event("bro/event/my_auto_event", my_auto_event);
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
+	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "hi", 0));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
 	event my_auto_event("stuff", 88);
-	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "...", 1));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
 	event my_auto_event("more stuff", 51);
-	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "bye", 2));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output
index 9f004692cb..640722cac0 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output
@@ -4,21 +4,21 @@ events-listener.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 global msg_count = 0;
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_events("bro/event/");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
 event my_event(msg: string, c: count)
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output
index 6884d5e4d6..907d712c88 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output
@@ -6,16 +6,16 @@ logs-connector.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 redef Log::enable_local_logging = F;
 redef Log::enable_remote_logging = F;
 global n = 0;
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::enable_remote_logs(Test::LOG);
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	Broker::enable();
+	Broker::enable_remote_logs(Test::LOG);
+	Broker::connect("127.0.0.1", broker_port, 1sec);
 	}
 
 event do_write()
@@ -28,16 +28,16 @@ event do_write()
 	event do_write();
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
+	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
 	event do_write();
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output
index 1610bde502..de6abbf5a0 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output
@@ -6,18 +6,18 @@ logs-listener.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_logs("bro/log/Test::LOG");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_logs("bro/log/Test::LOG");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
 event Test::log_test(rec: Test::Info)
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
index 86ad4f459f..91ee179fe6 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
@@ -4,26 +4,26 @@ printing-connector.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
+	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	BrokerComm::print("bro/print/hi", "hello");
-	BrokerComm::print("bro/print/stuff", "...");
-	BrokerComm::print("bro/print/bye", "goodbye");
+	Broker::send_print("bro/print/hi", "hello");
+	Broker::send_print("bro/print/stuff", "...");
+	Broker::send_print("bro/print/bye", "goodbye");
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output
index fb416612ab..37e4d0eae9 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output
@@ -4,22 +4,22 @@ printing-listener.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 global msg_count = 0;
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_prints("bro/print/");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_prints("bro/print/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
-event BrokerComm::print_handler(msg: string)
+event Broker::print_handler(msg: string)
 	{
 	++msg_count;
 	print "got print message", msg;
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output
index 6ca9e3b49b..74b59467e7 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output
@@ -5,42 +5,42 @@ stores-connector.bro
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of BrokerStore::Handle;
+global h: opaque of Broker::Handle;
 
-function dv(d: BrokerComm::Data): BrokerComm::DataVector
+function dv(d: Broker::Data): Broker::DataVector
 	{
-	local rval: BrokerComm::DataVector;
+	local rval: Broker::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 
 global ready: event();
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = BrokerStore::create_master("mystore");
-	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
-	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
-	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
-	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
-	BrokerStore::increment(h, BrokerComm::data("one"));
-	BrokerStore::decrement(h, BrokerComm::data("two"));
-	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
-	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
-	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
-	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
+	h = Broker::create_master("mystore");
+	Broker::insert(h, Broker::data("one"), Broker::data(110));
+	Broker::insert(h, Broker::data("two"), Broker::data(223));
+	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
+	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
+	Broker::increment(h, Broker::data("one"));
+	Broker::decrement(h, Broker::data("two"));
+	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
+	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
+	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
+	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
 
-	when ( local res = BrokerStore::size(h) )
+	when ( local res = Broker::size(h) )
 		{
 		print "master size", res;
 		event ready();
@@ -51,7 +51,7 @@ event BrokerComm::outgoing_connection_established(peer_address: string,
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
-	BrokerComm::auto_event("bro/event/ready", ready);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1secs);
+	Broker::auto_event("bro/event/ready", ready);
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output
index 6942ec17d2..8dadbc803c 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output
@@ -5,13 +5,13 @@ stores-listener.bro
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of BrokerStore::Handle;
+global h: opaque of Broker::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 
 function do_lookup(key: string)
 	{
-	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
+	when ( local res = Broker::lookup(h, Broker::data(key)) )
 		{
 		++key_count;
 		print "lookup", key, res;
@@ -25,15 +25,15 @@ function do_lookup(key: string)
 
 event ready()
 	{
-	h = BrokerStore::create_clone("mystore");
+	h = Broker::create_clone("mystore");
 
-	when ( local res = BrokerStore::keys(h) )
+	when ( local res = Broker::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
 		}
 	timeout 10sec
 		{ print "timeout"; }
@@ -41,7 +41,7 @@ event ready()
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_events("bro/event/ready");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/ready");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output
index c87fc3cd6f..d5a92417dc 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output
@@ -17,6 +17,6 @@ export {
 
 event bro_init() &priority=5
 	{
-	BrokerComm::enable();
+	Broker::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]);
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_base_protocols_conn_main_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_record_bro/output
similarity index 97%
rename from testing/btest/Baseline/doc.sphinx.include-scripts_base_protocols_conn_main_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_record_bro/output
index 83e9d5bea1..6d8760700a 100644
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_base_protocols_conn_main_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_record_bro/output
@@ -1,6 +1,6 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 
-main.bro
+data_type_record.bro
 
 module Conn;
 
diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_base_protocols_http_main_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_http_main_bro/output
similarity index 93%
rename from testing/btest/Baseline/doc.sphinx.include-scripts_base_protocols_http_main_bro/output
rename to testing/btest/Baseline/doc.sphinx.include-doc_scripting_http_main_bro/output
index e3f7a39429..9f49450799 100644
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_base_protocols_http_main_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_http_main_bro/output
@@ -1,6 +1,6 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 
-main.bro
+http_main.bro
 
 module HTTP;
 
diff --git a/testing/btest/Baseline/language.event-local-var/out b/testing/btest/Baseline/language.event-local-var/out
new file mode 100644
index 0000000000..2802c45d69
--- /dev/null
+++ b/testing/btest/Baseline/language.event-local-var/out
@@ -0,0 +1 @@
+error in /home/jgras/devel/bro/testing/btest/.tmp/language.event-local-var/event-local-var.bro, line 15: local identifier "v" cannot be used to reference an event, at or near ")"
diff --git a/testing/btest/Baseline/language.event/out b/testing/btest/Baseline/language.event/out
index 41c3e0d717..14fa9c1e8a 100644
--- a/testing/btest/Baseline/language.event/out
+++ b/testing/btest/Baseline/language.event/out
@@ -1,6 +1,7 @@
 event statement
 event part1
 event part2
+assign event variable (6)
 schedule statement in bro_init
 schedule statement in global
 schedule statement another in bro_init
diff --git a/testing/btest/Baseline/language.expire-expr-error/output b/testing/btest/Baseline/language.expire-expr-error/output
new file mode 100644
index 0000000000..544527fe23
--- /dev/null
+++ b/testing/btest/Baseline/language.expire-expr-error/output
@@ -0,0 +1,2 @@
+error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.bro, line 7: no such index (x[kaputt])
+received termination signal
diff --git a/testing/btest/Baseline/language.expire-func-undef/output b/testing/btest/Baseline/language.expire-func-undef/output
new file mode 100644
index 0000000000..05b71a9908
--- /dev/null
+++ b/testing/btest/Baseline/language.expire-func-undef/output
@@ -0,0 +1,20 @@
+1299470395.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299470405.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299473995.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299474005.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299477595.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299477605.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299481195.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299481205.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299484795.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299484805.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299488395.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299488405.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299491995.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299492005.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299495595.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299495605.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299499195.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299499205.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+1299502795.000000 error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary)
+orig: 10.0.0.2: peers: {\x0a\x0910.0.0.3\x0a}
diff --git a/testing/btest/Baseline/language.expire-redef/output b/testing/btest/Baseline/language.expire-redef/output
new file mode 100644
index 0000000000..d0a3a5dac1
--- /dev/null
+++ b/testing/btest/Baseline/language.expire-redef/output
@@ -0,0 +1,5 @@
+Run 0
+Run 1
+Run 2
+Expired: 0 --> some data
+Run 3
diff --git a/testing/btest/Baseline/language.expire-type-error/out b/testing/btest/Baseline/language.expire-type-error/out
new file mode 100644
index 0000000000..c0987a6341
--- /dev/null
+++ b/testing/btest/Baseline/language.expire-type-error/out
@@ -0,0 +1 @@
+error in /home/robin/bro/master/testing/btest/.tmp/language.expire-type-error/expire-type-error.bro, line 4: expiration interval has wrong type (kaputt)
diff --git a/testing/btest/Baseline/language.expire_multiple-2/output b/testing/btest/Baseline/language.expire_multiple-2/output
new file mode 100644
index 0000000000..ffcdb6ff80
--- /dev/null
+++ b/testing/btest/Baseline/language.expire_multiple-2/output
@@ -0,0 +1 @@
+error in /Users/johanna/bro/master/testing/btest/.tmp/language.expire_multiple-2/expire_multiple.test, line 2: set/table can only have one of &read_expire, &write_expire, &create_expire (&write_expire=1.0 sec, &create_expire=3.0 secs)
diff --git a/testing/btest/Baseline/language.expire_multiple-3/output b/testing/btest/Baseline/language.expire_multiple-3/output
new file mode 100644
index 0000000000..1dc2e3e765
--- /dev/null
+++ b/testing/btest/Baseline/language.expire_multiple-3/output
@@ -0,0 +1 @@
+error in /Users/johanna/bro/master/testing/btest/.tmp/language.expire_multiple-3/expire_multiple.test, line 2: set/table can only have one of &read_expire, &write_expire, &create_expire (&write_expire=1.0 sec, &read_expire=3.0 secs)
diff --git a/testing/btest/Baseline/language.expire_multiple/output b/testing/btest/Baseline/language.expire_multiple/output
new file mode 100644
index 0000000000..a616c84de7
--- /dev/null
+++ b/testing/btest/Baseline/language.expire_multiple/output
@@ -0,0 +1 @@
+error in /Users/johanna/bro/master/testing/btest/.tmp/language.expire_multiple/expire_multiple.test, line 4: set/table can only have one of &read_expire, &write_expire, &create_expire (&create_expire=1.0 sec, &read_expire=1.0 sec)
diff --git a/testing/btest/Baseline/language.expire_subnet/output b/testing/btest/Baseline/language.expire_subnet/output
new file mode 100644
index 0000000000..70ca3943cb
--- /dev/null
+++ b/testing/btest/Baseline/language.expire_subnet/output
@@ -0,0 +1,27 @@
+All:
+0 --> zero
+2 --> two
+4 --> four
+1 --> one
+3 --> three
+192.168.3.0/24 --> three
+192.168.0.0/16 --> zero
+192.168.4.0/24 --> four
+192.168.1.0/24 --> one
+192.168.2.0/24 --> two
+Time: 0 secs
+
+Accessed table nums: two; three
+Accessed table nets: two; three, zero
+Time: 7.0 secs 518.0 msecs 828.0 usecs
+
+Expired Num: 0 --> zero at 8.0 secs 835.0 msecs 30.0 usecs
+Expired Num: 4 --> four at 8.0 secs 835.0 msecs 30.0 usecs
+Expired Num: 1 --> one at 8.0 secs 835.0 msecs 30.0 usecs
+Expired Subnet: 192.168.4.0/24 --> four at 8.0 secs 835.0 msecs 30.0 usecs
+Expired Subnet: 192.168.1.0/24 --> one at 8.0 secs 835.0 msecs 30.0 usecs
+Expired Num: 2 --> two at 15.0 secs 150.0 msecs 681.0 usecs
+Expired Num: 3 --> three at 15.0 secs 150.0 msecs 681.0 usecs
+Expired Subnet: 192.168.3.0/24 --> three at 15.0 secs 150.0 msecs 681.0 usecs
+Expired Subnet: 192.168.0.0/16 --> zero at 15.0 secs 150.0 msecs 681.0 usecs
+Expired Subnet: 192.168.2.0/24 --> two at 15.0 secs 150.0 msecs 681.0 usecs
diff --git a/testing/btest/Baseline/language.hook/out b/testing/btest/Baseline/language.hook/out
index d4f367f875..28543d5320 100644
--- a/testing/btest/Baseline/language.hook/out
+++ b/testing/btest/Baseline/language.hook/out
@@ -17,3 +17,7 @@ myhook return F
 myhook return T
 myhook, &priority=5, [a=37, b=goobye world]
 F
+myhook5, test
+second part ran
+myhook5 ran
+myhook6, test
diff --git a/testing/btest/Baseline/language.init-in-anon-function/http.log b/testing/btest/Baseline/language.init-in-anon-function/http.log
index 24ee094c15..d0ecd3a06e 100644
--- a/testing/btest/Baseline/language.init-in-anon-function/http.log
+++ b/testing/btest/Baseline/language.init-in-anon-function/http.log
@@ -3,21 +3,21 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-40-39
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1300475168.784020	CRJuHdVW0XPVINV8a	141.142.0.0	48649	208.80.152.118	80	1	GET	bits.wikimedia.org	/skins-1.5/monobook/main.css	http://www.wikipedia.org/	1.1	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.916018	CJ3xTn1c4Zw9TmAE05	141.142.0.0	49997	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/6/63/Wikipedia-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.916183	C7XEbhP654jzLoe3a	141.142.0.0	49996	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.918358	C3SfNE4BWaU4aSuwkc	141.142.0.0	49998	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/b/bd/Bookshelf-40x201_6.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.952307	CyAhVIzHqb7t7kv28	141.142.0.0	50000	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.952296	CzA03V1VcgagLjnO92	141.142.0.0	49999	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.954820	CkDsfG2YIeWJmXWNWj	141.142.0.0	50001	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.962687	Cn78a440HlxuyZKs6f	141.142.0.0	35642	208.80.152.2	80	1	GET	meta.wikimedia.org	/images/wikimedia-button.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.975934	CJ3xTn1c4Zw9TmAE05	141.142.0.0	49997	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.976436	C7XEbhP654jzLoe3a	141.142.0.0	49996	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.979264	C3SfNE4BWaU4aSuwkc	141.142.0.0	49998	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475169.014619	CyAhVIzHqb7t7kv28	141.142.0.0	50000	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475169.014593	CzA03V1VcgagLjnO92	141.142.0.0	49999	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475169.014927	CkDsfG2YIeWJmXWNWj	141.142.0.0	50001	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2016-01-15-18-40-39
+#open	2016-06-15-05-37-23
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1300475168.784020	CRJuHdVW0XPVINV8a	141.142.0.0	48649	208.80.152.118	80	1	GET	bits.wikimedia.org	/skins-1.5/monobook/main.css	http://www.wikipedia.org/	1.1	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.916018	CJ3xTn1c4Zw9TmAE05	141.142.0.0	49997	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/6/63/Wikipedia-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.916183	C7XEbhP654jzLoe3a	141.142.0.0	49996	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.918358	C3SfNE4BWaU4aSuwkc	141.142.0.0	49998	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/b/bd/Bookshelf-40x201_6.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.952307	CyAhVIzHqb7t7kv28	141.142.0.0	50000	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.952296	CzA03V1VcgagLjnO92	141.142.0.0	49999	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.954820	CkDsfG2YIeWJmXWNWj	141.142.0.0	50001	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.962687	Cn78a440HlxuyZKs6f	141.142.0.0	35642	208.80.152.2	80	1	GET	meta.wikimedia.org	/images/wikimedia-button.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.975934	CJ3xTn1c4Zw9TmAE05	141.142.0.0	49997	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.976436	C7XEbhP654jzLoe3a	141.142.0.0	49996	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.979264	C3SfNE4BWaU4aSuwkc	141.142.0.0	49998	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475169.014619	CyAhVIzHqb7t7kv28	141.142.0.0	50000	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475169.014593	CzA03V1VcgagLjnO92	141.142.0.0	49999	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475169.014927	CkDsfG2YIeWJmXWNWj	141.142.0.0	50001	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+#close	2016-06-15-05-37-23
diff --git a/testing/btest/Baseline/language.record-function-recursion/out b/testing/btest/Baseline/language.record-function-recursion/out
new file mode 100644
index 0000000000..b143d5339b
--- /dev/null
+++ b/testing/btest/Baseline/language.record-function-recursion/out
@@ -0,0 +1,2 @@
+[id=<uninitialized>, inner=<uninitialized>]
+record { id:count; inner:record { create:function(input:<recursion>;) : string; }; }
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 7a5718b1db..5963f63bf8 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -25,6 +25,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8080/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 81/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8888/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IMAP, 143/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6666/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6667/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6668/tcp)) -> <no result>
@@ -56,6 +57,8 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_INTERCONN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <no result>
@@ -83,6 +86,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8080/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 81/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8888/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IMAP, 143/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6666/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6667/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6668/tcp)) -> <no result>
@@ -114,6 +118,8 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> <no result>
@@ -122,6 +128,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {631<...>/tcp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IRC, {6669<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_KRB, {88/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_KRB_TCP, {88/tcp})) -> <no result>
@@ -137,6 +144,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <no result>
@@ -164,12 +172,17 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=intel, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=kerberos, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_drop, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_shunt, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=notice_alarm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=notice, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=openflow, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=pe, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=radius, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rdp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -199,12 +212,17 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel, path=intel])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (KRB::LOG, [columns=<no value description>, ev=KRB::log_krb, path=kerberos])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::DROP, [columns=<no value description>, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::LOG, [columns=<no value description>, ev=NetControl::log_netcontrol, path=netcontrol])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::SHUNT, [columns=<no value description>, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>, path=notice_alarm])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice, path=notice])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (OpenFlow::LOG, [columns=<no value description>, ev=OpenFlow::log_openflow, path=openflow])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (PE::LOG, [columns=<no value description>, ev=PE::log_pe, path=pe])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>, path=packet_filter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius, path=radius])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RDP::LOG, [columns=<no value description>, ev=RDP::log_rdp, path=rdp])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])) -> <no result>
@@ -220,7 +238,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1452883249.168544, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1465969080.55715, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -235,12 +253,17 @@
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Intel::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (KRB::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Modbus::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NetControl::DROP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NetControl::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NetControl::SHUNT)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Notice::ALARM_LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Notice::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (OpenFlow::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (PE::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (PacketFilter::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (RADIUS::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (RDP::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (RFB::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Reporter::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SIP::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMTP::LOG)) -> <no result>
@@ -270,12 +293,17 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -305,12 +333,17 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel, path=intel])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (KRB::LOG, [columns=<no value description>, ev=KRB::log_krb, path=kerberos])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::DROP, [columns=<no value description>, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::LOG, [columns=<no value description>, ev=NetControl::log_netcontrol, path=netcontrol])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::SHUNT, [columns=<no value description>, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>, path=notice_alarm])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice, path=notice])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (OpenFlow::LOG, [columns=<no value description>, ev=OpenFlow::log_openflow, path=openflow])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (PE::LOG, [columns=<no value description>, ev=PE::log_pe, path=pe])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>, path=packet_filter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius, path=radius])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RDP::LOG, [columns=<no value description>, ev=RDP::log_rdp, path=rdp])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])) -> <no result>
@@ -326,7 +359,9 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1452883249.168544, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1465969080.55715, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@@ -361,6 +396,7 @@
 0.000000   MetaHookPost  CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, )) -> <no result>
 0.000000   MetaHookPost  DrainEvents() -> <void>
 0.000000   MetaHookPost  LoadFile(../main) -> -1
+0.000000   MetaHookPost  LoadFile(../plugin) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ARP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_AYIYA.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_AsciiReader.ascii.bif.bro) -> -1
@@ -378,6 +414,7 @@
 0.000000   MetaHookPost  LoadFile(./Bro_FTP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_FTP.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_File.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_FileEntropy.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_FileExtract.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_FileExtract.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_FileHash.events.bif.bro) -> -1
@@ -387,6 +424,7 @@
 0.000000   MetaHookPost  LoadFile(./Bro_HTTP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_HTTP.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ICMP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_IMAP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_IRC.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_Ident.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_InterConn.events.bif.bro) -> -1
@@ -408,6 +446,7 @@
 0.000000   MetaHookPost  LoadFile(./Bro_RADIUS.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_RDP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_RDP.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_RFB.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_RPC.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_RawReader.raw.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SIP.events.bif.bro) -> -1
@@ -433,14 +472,18 @@
 0.000000   MetaHookPost  LoadFile(./Bro_X509.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_X509.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_X509.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_XMPP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ZIP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./acld) -> -1
 0.000000   MetaHookPost  LoadFile(./addrs) -> -1
 0.000000   MetaHookPost  LoadFile(./analyzer.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./average) -> -1
 0.000000   MetaHookPost  LoadFile(./bloom-filter.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./bro.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./broker) -> -1
 0.000000   MetaHookPost  LoadFile(./broxygen.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./cardinality-counter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./catch-and-release) -> -1
 0.000000   MetaHookPost  LoadFile(./comm.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./const.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./consts) -> -1
@@ -448,6 +491,8 @@
 0.000000   MetaHookPost  LoadFile(./contents) -> -1
 0.000000   MetaHookPost  LoadFile(./data.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./dcc-send) -> -1
+0.000000   MetaHookPost  LoadFile(./debug) -> -1
+0.000000   MetaHookPost  LoadFile(./drop) -> -1
 0.000000   MetaHookPost  LoadFile(./entities) -> -1
 0.000000   MetaHookPost  LoadFile(./event.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./exec) -> -1
@@ -463,6 +508,7 @@
 0.000000   MetaHookPost  LoadFile(./input) -> -1
 0.000000   MetaHookPost  LoadFile(./input.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./last) -> -1
+0.000000   MetaHookPost  LoadFile(./log) -> -1
 0.000000   MetaHookPost  LoadFile(./logging.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./magic) -> -1
 0.000000   MetaHookPost  LoadFile(./main) -> -1
@@ -473,22 +519,30 @@
 0.000000   MetaHookPost  LoadFile(./mozilla-ca-list) -> -1
 0.000000   MetaHookPost  LoadFile(./netstats) -> -1
 0.000000   MetaHookPost  LoadFile(./non-cluster) -> -1
+0.000000   MetaHookPost  LoadFile(./openflow) -> -1
+0.000000   MetaHookPost  LoadFile(./packetfilter) -> -1
 0.000000   MetaHookPost  LoadFile(./patterns) -> -1
+0.000000   MetaHookPost  LoadFile(./plugin) -> -1
 0.000000   MetaHookPost  LoadFile(./plugins) -> -1
 0.000000   MetaHookPost  LoadFile(./polling) -> -1
 0.000000   MetaHookPost  LoadFile(./postprocessors) -> -1
 0.000000   MetaHookPost  LoadFile(./reporter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./ryu) -> -1
 0.000000   MetaHookPost  LoadFile(./sample) -> -1
 0.000000   MetaHookPost  LoadFile(./scp) -> -1
 0.000000   MetaHookPost  LoadFile(./sftp) -> -1
+0.000000   MetaHookPost  LoadFile(./shunt) -> -1
 0.000000   MetaHookPost  LoadFile(./site) -> -1
+0.000000   MetaHookPost  LoadFile(./stats.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./std-dev) -> -1
+0.000000   MetaHookPost  LoadFile(./store) -> -1
 0.000000   MetaHookPost  LoadFile(./store.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./strings.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./sum) -> -1
 0.000000   MetaHookPost  LoadFile(./thresholds) -> -1
 0.000000   MetaHookPost  LoadFile(./top-k.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./topk) -> -1
+0.000000   MetaHookPost  LoadFile(./types) -> -1
 0.000000   MetaHookPost  LoadFile(./types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./types.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./unique) -> -1
@@ -523,11 +577,13 @@
 0.000000   MetaHookPost  LoadFile(base<...>/bro.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/broker) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/cluster) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/comm.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/communication) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/conn) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/conn-ids) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/const.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/control) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/data.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/dhcp) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/dir) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/directions-and-hosts) -> -1
@@ -542,20 +598,26 @@
 0.000000   MetaHookPost  LoadFile(base<...>/find-checksum-offloading) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/find-filtered-trace) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/ftp) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/geoip-distance) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/hash) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/http) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/imap) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/input) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/input.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/intel) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/irc) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/json) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/krb) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/logging) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/logging.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/main) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/messaging.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/modbus) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/mysql) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/netcontrol) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/notice) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/numbers) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/openflow) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/packet-filter) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/paths) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/patterns) -> -1
@@ -567,6 +629,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/rdp) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/reporter) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/reporter.bif) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/rfb) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/signatures) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/sip) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/site) -> -1
@@ -576,6 +639,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/software) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/ssh) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/ssl) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/store.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/strings) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/strings.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/sumstats) -> -1
@@ -588,6 +652,8 @@
 0.000000   MetaHookPost  LoadFile(base<...>/urls) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/utils) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/x509) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/xmpp) -> -1
+0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
 0.000000   MetaHookPost  QueueEvent(bro_init()) -> false
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR))
@@ -617,6 +683,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8080/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 81/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8888/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IMAP, 143/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6666/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6667/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6668/tcp))
@@ -648,6 +715,8 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_INTERCONN))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE))
@@ -675,6 +744,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8080/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 81/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8888/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IMAP, 143/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6666/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6667/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6668/tcp))
@@ -706,6 +776,8 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DHCP, {67<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}))
@@ -714,6 +786,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {631<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IRC, {6669<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_KRB, {88/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_KRB_TCP, {88/tcp}))
@@ -729,6 +802,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
 0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
@@ -756,12 +830,17 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=intel, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=kerberos, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_drop, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_shunt, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=notice_alarm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=notice, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=openflow, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=pe, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=radius, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rdp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -791,12 +870,17 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel, path=intel]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (KRB::LOG, [columns=<no value description>, ev=KRB::log_krb, path=kerberos]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::DROP, [columns=<no value description>, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::LOG, [columns=<no value description>, ev=NetControl::log_netcontrol, path=netcontrol]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::SHUNT, [columns=<no value description>, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>, path=notice_alarm]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice, path=notice]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (OpenFlow::LOG, [columns=<no value description>, ev=OpenFlow::log_openflow, path=openflow]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (PE::LOG, [columns=<no value description>, ev=PE::log_pe, path=pe]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>, path=packet_filter]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius, path=radius]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RDP::LOG, [columns=<no value description>, ev=RDP::log_rdp, path=rdp]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp]))
@@ -812,7 +896,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1452883249.168544, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1465969080.55715, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -827,12 +911,17 @@
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Intel::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (KRB::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Modbus::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NetControl::DROP))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NetControl::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NetControl::SHUNT))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Notice::ALARM_LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Notice::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (OpenFlow::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (PE::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (PacketFilter::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (RADIUS::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (RDP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (RFB::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Reporter::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SIP::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMTP::LOG))
@@ -862,12 +951,17 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -897,12 +991,17 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel, path=intel]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (KRB::LOG, [columns=<no value description>, ev=KRB::log_krb, path=kerberos]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::DROP, [columns=<no value description>, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::LOG, [columns=<no value description>, ev=NetControl::log_netcontrol, path=netcontrol]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::SHUNT, [columns=<no value description>, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>, path=notice_alarm]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice, path=notice]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (OpenFlow::LOG, [columns=<no value description>, ev=OpenFlow::log_openflow, path=openflow]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (PE::LOG, [columns=<no value description>, ev=PE::log_pe, path=pe]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>, path=packet_filter]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius, path=radius]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RDP::LOG, [columns=<no value description>, ev=RDP::log_rdp, path=rdp]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp]))
@@ -918,7 +1017,9 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1452883249.168544, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1465969080.55715, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
+0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@@ -953,6 +1054,7 @@
 0.000000   MetaHookPre   CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, ))
 0.000000   MetaHookPre   DrainEvents()
 0.000000   MetaHookPre   LoadFile(../main)
+0.000000   MetaHookPre   LoadFile(../plugin)
 0.000000   MetaHookPre   LoadFile(./Bro_ARP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_AYIYA.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_AsciiReader.ascii.bif.bro)
@@ -970,6 +1072,7 @@
 0.000000   MetaHookPre   LoadFile(./Bro_FTP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_FTP.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_File.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_FileEntropy.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_FileExtract.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_FileExtract.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_FileHash.events.bif.bro)
@@ -979,6 +1082,7 @@
 0.000000   MetaHookPre   LoadFile(./Bro_HTTP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_HTTP.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_ICMP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_IMAP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_IRC.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_Ident.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_InterConn.events.bif.bro)
@@ -1000,6 +1104,7 @@
 0.000000   MetaHookPre   LoadFile(./Bro_RADIUS.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_RDP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_RDP.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_RFB.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_RPC.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_RawReader.raw.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SIP.events.bif.bro)
@@ -1025,14 +1130,18 @@
 0.000000   MetaHookPre   LoadFile(./Bro_X509.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_X509.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_X509.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_XMPP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_ZIP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./acld)
 0.000000   MetaHookPre   LoadFile(./addrs)
 0.000000   MetaHookPre   LoadFile(./analyzer.bif.bro)
 0.000000   MetaHookPre   LoadFile(./average)
 0.000000   MetaHookPre   LoadFile(./bloom-filter.bif.bro)
 0.000000   MetaHookPre   LoadFile(./bro.bif.bro)
+0.000000   MetaHookPre   LoadFile(./broker)
 0.000000   MetaHookPre   LoadFile(./broxygen.bif.bro)
 0.000000   MetaHookPre   LoadFile(./cardinality-counter.bif.bro)
+0.000000   MetaHookPre   LoadFile(./catch-and-release)
 0.000000   MetaHookPre   LoadFile(./comm.bif.bro)
 0.000000   MetaHookPre   LoadFile(./const.bif.bro)
 0.000000   MetaHookPre   LoadFile(./consts)
@@ -1040,6 +1149,8 @@
 0.000000   MetaHookPre   LoadFile(./contents)
 0.000000   MetaHookPre   LoadFile(./data.bif.bro)
 0.000000   MetaHookPre   LoadFile(./dcc-send)
+0.000000   MetaHookPre   LoadFile(./debug)
+0.000000   MetaHookPre   LoadFile(./drop)
 0.000000   MetaHookPre   LoadFile(./entities)
 0.000000   MetaHookPre   LoadFile(./event.bif.bro)
 0.000000   MetaHookPre   LoadFile(./exec)
@@ -1055,6 +1166,7 @@
 0.000000   MetaHookPre   LoadFile(./input)
 0.000000   MetaHookPre   LoadFile(./input.bif.bro)
 0.000000   MetaHookPre   LoadFile(./last)
+0.000000   MetaHookPre   LoadFile(./log)
 0.000000   MetaHookPre   LoadFile(./logging.bif.bro)
 0.000000   MetaHookPre   LoadFile(./magic)
 0.000000   MetaHookPre   LoadFile(./main)
@@ -1065,22 +1177,30 @@
 0.000000   MetaHookPre   LoadFile(./mozilla-ca-list)
 0.000000   MetaHookPre   LoadFile(./netstats)
 0.000000   MetaHookPre   LoadFile(./non-cluster)
+0.000000   MetaHookPre   LoadFile(./openflow)
+0.000000   MetaHookPre   LoadFile(./packetfilter)
 0.000000   MetaHookPre   LoadFile(./patterns)
+0.000000   MetaHookPre   LoadFile(./plugin)
 0.000000   MetaHookPre   LoadFile(./plugins)
 0.000000   MetaHookPre   LoadFile(./polling)
 0.000000   MetaHookPre   LoadFile(./postprocessors)
 0.000000   MetaHookPre   LoadFile(./reporter.bif.bro)
+0.000000   MetaHookPre   LoadFile(./ryu)
 0.000000   MetaHookPre   LoadFile(./sample)
 0.000000   MetaHookPre   LoadFile(./scp)
 0.000000   MetaHookPre   LoadFile(./sftp)
+0.000000   MetaHookPre   LoadFile(./shunt)
 0.000000   MetaHookPre   LoadFile(./site)
+0.000000   MetaHookPre   LoadFile(./stats.bif.bro)
 0.000000   MetaHookPre   LoadFile(./std-dev)
+0.000000   MetaHookPre   LoadFile(./store)
 0.000000   MetaHookPre   LoadFile(./store.bif.bro)
 0.000000   MetaHookPre   LoadFile(./strings.bif.bro)
 0.000000   MetaHookPre   LoadFile(./sum)
 0.000000   MetaHookPre   LoadFile(./thresholds)
 0.000000   MetaHookPre   LoadFile(./top-k.bif.bro)
 0.000000   MetaHookPre   LoadFile(./topk)
+0.000000   MetaHookPre   LoadFile(./types)
 0.000000   MetaHookPre   LoadFile(./types.bif.bro)
 0.000000   MetaHookPre   LoadFile(./types.bro)
 0.000000   MetaHookPre   LoadFile(./unique)
@@ -1115,11 +1235,13 @@
 0.000000   MetaHookPre   LoadFile(base<...>/bro.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/broker)
 0.000000   MetaHookPre   LoadFile(base<...>/cluster)
+0.000000   MetaHookPre   LoadFile(base<...>/comm.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/communication)
 0.000000   MetaHookPre   LoadFile(base<...>/conn)
 0.000000   MetaHookPre   LoadFile(base<...>/conn-ids)
 0.000000   MetaHookPre   LoadFile(base<...>/const.bif.bro)
 0.000000   MetaHookPre   LoadFile(base<...>/control)
+0.000000   MetaHookPre   LoadFile(base<...>/data.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/dhcp)
 0.000000   MetaHookPre   LoadFile(base<...>/dir)
 0.000000   MetaHookPre   LoadFile(base<...>/directions-and-hosts)
@@ -1134,20 +1256,26 @@
 0.000000   MetaHookPre   LoadFile(base<...>/find-checksum-offloading)
 0.000000   MetaHookPre   LoadFile(base<...>/find-filtered-trace)
 0.000000   MetaHookPre   LoadFile(base<...>/ftp)
+0.000000   MetaHookPre   LoadFile(base<...>/geoip-distance)
 0.000000   MetaHookPre   LoadFile(base<...>/hash)
 0.000000   MetaHookPre   LoadFile(base<...>/http)
+0.000000   MetaHookPre   LoadFile(base<...>/imap)
 0.000000   MetaHookPre   LoadFile(base<...>/input)
 0.000000   MetaHookPre   LoadFile(base<...>/input.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/intel)
 0.000000   MetaHookPre   LoadFile(base<...>/irc)
+0.000000   MetaHookPre   LoadFile(base<...>/json)
 0.000000   MetaHookPre   LoadFile(base<...>/krb)
 0.000000   MetaHookPre   LoadFile(base<...>/logging)
 0.000000   MetaHookPre   LoadFile(base<...>/logging.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/main)
+0.000000   MetaHookPre   LoadFile(base<...>/messaging.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/modbus)
 0.000000   MetaHookPre   LoadFile(base<...>/mysql)
+0.000000   MetaHookPre   LoadFile(base<...>/netcontrol)
 0.000000   MetaHookPre   LoadFile(base<...>/notice)
 0.000000   MetaHookPre   LoadFile(base<...>/numbers)
+0.000000   MetaHookPre   LoadFile(base<...>/openflow)
 0.000000   MetaHookPre   LoadFile(base<...>/packet-filter)
 0.000000   MetaHookPre   LoadFile(base<...>/paths)
 0.000000   MetaHookPre   LoadFile(base<...>/patterns)
@@ -1159,6 +1287,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/rdp)
 0.000000   MetaHookPre   LoadFile(base<...>/reporter)
 0.000000   MetaHookPre   LoadFile(base<...>/reporter.bif)
+0.000000   MetaHookPre   LoadFile(base<...>/rfb)
 0.000000   MetaHookPre   LoadFile(base<...>/signatures)
 0.000000   MetaHookPre   LoadFile(base<...>/sip)
 0.000000   MetaHookPre   LoadFile(base<...>/site)
@@ -1168,6 +1297,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/software)
 0.000000   MetaHookPre   LoadFile(base<...>/ssh)
 0.000000   MetaHookPre   LoadFile(base<...>/ssl)
+0.000000   MetaHookPre   LoadFile(base<...>/store.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/strings)
 0.000000   MetaHookPre   LoadFile(base<...>/strings.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/sumstats)
@@ -1180,6 +1310,8 @@
 0.000000   MetaHookPre   LoadFile(base<...>/urls)
 0.000000   MetaHookPre   LoadFile(base<...>/utils)
 0.000000   MetaHookPre   LoadFile(base<...>/x509)
+0.000000   MetaHookPre   LoadFile(base<...>/xmpp)
+0.000000   MetaHookPre   QueueEvent(NetControl::init())
 0.000000   MetaHookPre   QueueEvent(bro_init())
 0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
@@ -1209,6 +1341,7 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 8080/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 81/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 8888/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IMAP, 143/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6666/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6667/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6668/tcp)
@@ -1240,6 +1373,8 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_INTERCONN)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
@@ -1267,6 +1402,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 8080/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 81/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 8888/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IMAP, 143/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6666/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6667/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6668/tcp)
@@ -1298,6 +1434,8 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, {67<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})
@@ -1306,6 +1444,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {631<...>/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, {6669<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, {88/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, {88/tcp})
@@ -1321,6 +1460,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {5223<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Cluster::is_enabled()
 0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_PE, application/x-dosexec)
@@ -1347,12 +1487,17 @@
 0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=intel, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=kerberos, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_drop, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_shunt, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=notice_alarm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=notice, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=openflow, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=pe, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=radius, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rdp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1382,12 +1527,17 @@
 0.000000 | HookCallFunction Log::__create_stream(Intel::LOG, [columns=<no value description>, ev=Intel::log_intel, path=intel])
 0.000000 | HookCallFunction Log::__create_stream(KRB::LOG, [columns=<no value description>, ev=KRB::log_krb, path=kerberos])
 0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus])
+0.000000 | HookCallFunction Log::__create_stream(NetControl::DROP, [columns=<no value description>, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])
+0.000000 | HookCallFunction Log::__create_stream(NetControl::LOG, [columns=<no value description>, ev=NetControl::log_netcontrol, path=netcontrol])
+0.000000 | HookCallFunction Log::__create_stream(NetControl::SHUNT, [columns=<no value description>, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])
 0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>, path=notice_alarm])
 0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=<no value description>, ev=Notice::log_notice, path=notice])
+0.000000 | HookCallFunction Log::__create_stream(OpenFlow::LOG, [columns=<no value description>, ev=OpenFlow::log_openflow, path=openflow])
 0.000000 | HookCallFunction Log::__create_stream(PE::LOG, [columns=<no value description>, ev=PE::log_pe, path=pe])
 0.000000 | HookCallFunction Log::__create_stream(PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>, path=packet_filter])
 0.000000 | HookCallFunction Log::__create_stream(RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius, path=radius])
 0.000000 | HookCallFunction Log::__create_stream(RDP::LOG, [columns=<no value description>, ev=RDP::log_rdp, path=rdp])
+0.000000 | HookCallFunction Log::__create_stream(RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])
 0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])
 0.000000 | HookCallFunction Log::__create_stream(SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])
 0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])
@@ -1403,7 +1553,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1452883249.168544, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1465969080.55715, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1418,12 +1568,17 @@
 0.000000 | HookCallFunction Log::add_default_filter(Intel::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(KRB::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Modbus::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(NetControl::DROP)
+0.000000 | HookCallFunction Log::add_default_filter(NetControl::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(NetControl::SHUNT)
 0.000000 | HookCallFunction Log::add_default_filter(Notice::ALARM_LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Notice::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(OpenFlow::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(PE::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(PacketFilter::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(RADIUS::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(RDP::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(RFB::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Reporter::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SIP::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SMTP::LOG)
@@ -1453,12 +1608,17 @@
 0.000000 | HookCallFunction Log::add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1488,12 +1648,17 @@
 0.000000 | HookCallFunction Log::create_stream(Intel::LOG, [columns=<no value description>, ev=Intel::log_intel, path=intel])
 0.000000 | HookCallFunction Log::create_stream(KRB::LOG, [columns=<no value description>, ev=KRB::log_krb, path=kerberos])
 0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus])
+0.000000 | HookCallFunction Log::create_stream(NetControl::DROP, [columns=<no value description>, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])
+0.000000 | HookCallFunction Log::create_stream(NetControl::LOG, [columns=<no value description>, ev=NetControl::log_netcontrol, path=netcontrol])
+0.000000 | HookCallFunction Log::create_stream(NetControl::SHUNT, [columns=<no value description>, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])
 0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>, path=notice_alarm])
 0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=<no value description>, ev=Notice::log_notice, path=notice])
+0.000000 | HookCallFunction Log::create_stream(OpenFlow::LOG, [columns=<no value description>, ev=OpenFlow::log_openflow, path=openflow])
 0.000000 | HookCallFunction Log::create_stream(PE::LOG, [columns=<no value description>, ev=PE::log_pe, path=pe])
 0.000000 | HookCallFunction Log::create_stream(PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>, path=packet_filter])
 0.000000 | HookCallFunction Log::create_stream(RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius, path=radius])
 0.000000 | HookCallFunction Log::create_stream(RDP::LOG, [columns=<no value description>, ev=RDP::log_rdp, path=rdp])
+0.000000 | HookCallFunction Log::create_stream(RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])
 0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])
 0.000000 | HookCallFunction Log::create_stream(SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])
 0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])
@@ -1509,7 +1674,9 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1452883249.168544, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1465969080.55715, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction NetControl::check_plugins()
+0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@@ -1548,51 +1715,55 @@
 0.000000 | HookLoadFile  <...>/bro
 0.000000 | HookLoadFile  base<...>/bif
 0.000000 | HookLoadFile  base<...>/bro
+0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
 1362692526.869344   MetaHookPost  BroObjDtor(<void ptr>) -> <void>
 1362692526.869344   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <no result>
+1362692526.869344   MetaHookPost  CallFunction(NetControl::check_conn, <frame>, (141.142.228.5)) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
-1362692526.869344   MetaHookPost  CallFunction(net_stats, <frame>, ()) -> <no result>
-1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.869344   MetaHookPost  CallFunction(get_net_stats, <frame>, ()) -> <no result>
+1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692526.869344   MetaHookPost  DrainEvents() -> <void>
 1362692526.869344   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.869344   MetaHookPost  UpdateNetworkTime(1362692526.869344) -> <void>
 1362692526.869344   MetaHookPre   BroObjDtor(<void ptr>)
 1362692526.869344   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
+1362692526.869344   MetaHookPre   CallFunction(NetControl::check_conn, <frame>, (141.142.228.5))
 1362692526.869344   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
-1362692526.869344   MetaHookPre   CallFunction(net_stats, <frame>, ())
-1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   CallFunction(get_net_stats, <frame>, ())
+1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.869344   MetaHookPre   DrainEvents()
 1362692526.869344   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692526.869344   MetaHookPre   QueueEvent(filter_change_tracking())
-1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.869344   MetaHookPre   UpdateNetworkTime(1362692526.869344)
 1362692526.869344  | HookBroObjDtor
 1362692526.869344  | HookUpdateNetworkTime 1362692526.869344
 1362692526.869344 | HookCallFunction ChecksumOffloading::check()
+1362692526.869344 | HookCallFunction NetControl::check_conn(141.142.228.5)
 1362692526.869344 | HookCallFunction filter_change_tracking()
-1362692526.869344 | HookCallFunction net_stats()
-1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookCallFunction get_net_stats()
+1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.869344 | HookDrainEvents
 1362692526.869344 | HookQueueEvent ChecksumOffloading::check()
 1362692526.869344 | HookQueueEvent filter_change_tracking()
-1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
-1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692526.939084   MetaHookPost  DrainEvents() -> <void>
-1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.939084   MetaHookPost  UpdateNetworkTime(1362692526.939084) -> <void>
-1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   DrainEvents()
-1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   UpdateNetworkTime(1362692526.939084)
 1362692526.939084  | HookUpdateNetworkTime 1362692526.939084
-1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.939084 | HookDrainEvents
-1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.939378   MetaHookPost  DrainEvents() -> <void>
 1362692526.939378   MetaHookPost  UpdateNetworkTime(1362692526.939378) -> <void>
 1362692526.939378   MetaHookPre   DrainEvents()
@@ -1601,115 +1772,118 @@
 1362692526.939378 | HookDrainEvents
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(split_string1, <frame>, (bro.org, <...>/)) -> <no result>
 1362692526.939527   MetaHookPost  DrainEvents() -> <void>
-1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
 1362692526.939527   MetaHookPost  UpdateNetworkTime(1362692526.939527) -> <void>
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP))
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (-%s, HTTP))
-1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
 1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
 1362692526.939527   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692526.939527   MetaHookPre   CallFunction(network_time, <frame>, ())
-1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
+1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 1362692526.939527   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
 1362692526.939527   MetaHookPre   CallFunction(split_string1, <frame>, (bro.org, <...>/))
 1362692526.939527   MetaHookPre   DrainEvents()
-1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
+1362692526.939527   MetaHookPre   QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 1362692526.939527   MetaHookPre   UpdateNetworkTime(1362692526.939527)
 1362692526.939527  | HookUpdateNetworkTime 1362692526.939527
 1362692526.939527 | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
 1362692526.939527 | HookCallFunction Analyzer::name(Analyzer::ANALYZER_HTTP)
-1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 1362692526.939527 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692526.939527 | HookCallFunction fmt(-%s, HTTP)
-1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
 1362692526.939527 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692526.939527 | HookCallFunction network_time()
-1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
+1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 1362692526.939527 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)
 1362692526.939527 | HookCallFunction split_string1(bro.org, <...>/)
 1362692526.939527 | HookDrainEvents
-1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
+1362692526.939527 | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 1362692527.008509   MetaHookPost  DrainEvents() -> <void>
 1362692527.008509   MetaHookPost  UpdateNetworkTime(1362692527.008509) -> <void>
 1362692527.008509   MetaHookPre   DrainEvents()
@@ -1718,142 +1892,142 @@
 1362692527.008509 | HookDrainEvents
 1362692527.009512   MetaHookPost  CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 524288)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(split_string_all, <frame>, (HTTP, <...>/)) -> <no result>
 1362692527.009512   MetaHookPost  DrainEvents() -> <void>
-1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
 1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
 1362692527.009512   MetaHookPre   CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3))
 1362692527.009512   MetaHookPre   CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 524288))
-1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288))
+1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
 1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009512   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009512   MetaHookPre   CallFunction(split_string_all, <frame>, (HTTP, <...>/))
 1362692527.009512   MetaHookPre   DrainEvents()
-1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   UpdateNetworkTime(1362692527.009512)
 1362692527.009512  | HookUpdateNetworkTime 1362692527.009512
 1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3)
 1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 524288)
-1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)
+1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)
 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
-1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
 1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/)
 1362692527.009512 | HookDrainEvents
-1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
-1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
 1362692527.009721   MetaHookPost  DrainEvents() -> <void>
 1362692527.009721   MetaHookPost  UpdateNetworkTime(1362692527.009721) -> <void>
 1362692527.009721   MetaHookPre   DrainEvents()
@@ -1866,11 +2040,11 @@
 1362692527.009765   MetaHookPre   UpdateNetworkTime(1362692527.009765)
 1362692527.009765  | HookUpdateNetworkTime 1362692527.009765
 1362692527.009765 | HookDrainEvents
-1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <no result>
@@ -1879,23 +2053,23 @@
 1362692527.009775   MetaHookPost  CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
 1362692527.009775   MetaHookPost  QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
+1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
 1362692527.009775   MetaHookPost  UpdateNetworkTime(1362692527.009775) -> <void>
-1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
@@ -1904,24 +2078,24 @@
 1362692527.009775   MetaHookPre   CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
 1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
 1362692527.009775   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009775   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   DrainEvents()
 1362692527.009775   MetaHookPre   QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
 1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
 1362692527.009775   MetaHookPre   UpdateNetworkTime(1362692527.009775)
 1362692527.009775  | HookUpdateNetworkTime 1362692527.009775
-1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::__write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
@@ -1930,17 +2104,17 @@
 1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
+1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookDrainEvents
 1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
+1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
 1362692527.009855   MetaHookPost  DrainEvents() -> <void>
 1362692527.009855   MetaHookPost  UpdateNetworkTime(1362692527.009855) -> <void>
 1362692527.009855   MetaHookPre   DrainEvents()
@@ -1966,24 +2140,24 @@
 1362692527.080828  | HookUpdateNetworkTime 1362692527.080828
 1362692527.080828 | HookDrainEvents
 1362692527.080972   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(bro_done, <null>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(get_net_stats, <frame>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(get_port_transport_proto, <frame>, (80/tcp)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(is_tcp_port, <frame>, (59856/tcp)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(net_done, <null>, (1362692527.080972)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(net_stats, <frame>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(reading_traces, <frame>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(sub_bytes, <frame>, (HTTP, 0, 1)) -> <no result>
@@ -1991,29 +2165,29 @@
 1362692527.080972   MetaHookPost  DrainEvents() -> <void>
 1362692527.080972   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692527.080972   MetaHookPost  QueueEvent(bro_done()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692527.080972   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692527.080972   MetaHookPost  UpdateNetworkTime(1362692527.080972) -> <void>
 1362692527.080972   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
-1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
-1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
+1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
 1362692527.080972   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
 1362692527.080972   MetaHookPre   CallFunction(bro_done, <null>, ())
 1362692527.080972   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
 1362692527.080972   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(get_net_stats, <frame>, ())
 1362692527.080972   MetaHookPre   CallFunction(get_port_transport_proto, <frame>, (80/tcp))
 1362692527.080972   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.080972   MetaHookPre   CallFunction(is_tcp_port, <frame>, (59856/tcp))
 1362692527.080972   MetaHookPre   CallFunction(net_done, <null>, (1362692527.080972))
-1362692527.080972   MetaHookPre   CallFunction(net_stats, <frame>, ())
 1362692527.080972   MetaHookPre   CallFunction(reading_traces, <frame>, ())
 1362692527.080972   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.080972   MetaHookPre   CallFunction(sub_bytes, <frame>, (HTTP, 0, 1))
@@ -2021,30 +2195,30 @@
 1362692527.080972   MetaHookPre   DrainEvents()
 1362692527.080972   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692527.080972   MetaHookPre   QueueEvent(bro_done())
-1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   QueueEvent(filter_change_tracking())
-1362692527.080972   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   UpdateNetworkTime(1362692527.080972)
 1362692527.080972  | HookUpdateNetworkTime 1362692527.080972
 1362692527.080972 | HookCallFunction ChecksumOffloading::check()
-1362692527.080972 | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)
-1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)
+1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
 1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
 1362692527.080972 | HookCallFunction bro_done()
 1362692527.080972 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction filter_change_tracking()
 1362692527.080972 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction get_net_stats()
 1362692527.080972 | HookCallFunction get_port_transport_proto(80/tcp)
 1362692527.080972 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.080972 | HookCallFunction is_tcp_port(59856/tcp)
 1362692527.080972 | HookCallFunction net_done(1362692527.080972)
-1362692527.080972 | HookCallFunction net_stats()
 1362692527.080972 | HookCallFunction reading_traces()
 1362692527.080972 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.080972 | HookCallFunction sub_bytes(HTTP, 0, 1)
@@ -2052,6 +2226,6 @@
 1362692527.080972 | HookDrainEvents
 1362692527.080972 | HookQueueEvent ChecksumOffloading::check()
 1362692527.080972 | HookQueueEvent bro_done()
-1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookQueueEvent filter_change_tracking()
-1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output
index a8d6f439e2..17c11d0290 100644
--- a/testing/btest/Baseline/plugins.writer/output
+++ b/testing/btest/Baseline/plugins.writer/output
@@ -10,13 +10,13 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
 [conn] 1340213226.561757|CPbrpk1qSsw6ESzHV4|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
 [conn] 1340213290.981995|C6pKV8GSxOnSLghOa|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
 [files] 1340213020.732547|FBtZ7y1ppK8iIeY622|60.190.189.214|10.0.0.55|CjhGID4nQcgTWjvg4c|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|-
-[http] 1340213019.013158|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|1|GET|www.osnews.com|/images/printer2.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
-[http] 1340213019.013426|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|2|GET|www.osnews.com|/img2/shorturl.jpg|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
-[http] 1340213019.580162|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|3|GET|www.osnews.com|/images/icons/9.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
-[http] 1340213020.155861|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|4|GET|www.osnews.com|/images/icons/26.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|1368|200|OK|-|-|-||-|-|-|-|-|FBtZ7y1ppK8iIeY622|image/gif
-[http] 1340213020.732963|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
-[http] 1340213021.300269|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
-[http] 1340213021.861584|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
-[packet_filter] 1452883255.997547|bro|ip or not ip|T|T
+[http] 1340213019.013158|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|1|GET|www.osnews.com|/images/printer2.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
+[http] 1340213019.013426|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|2|GET|www.osnews.com|/img2/shorturl.jpg|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
+[http] 1340213019.580162|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|3|GET|www.osnews.com|/images/icons/9.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
+[http] 1340213020.155861|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|4|GET|www.osnews.com|/images/icons/26.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|1368|200|OK|-|-||-|-|-|-|-|-|FBtZ7y1ppK8iIeY622|-|image/gif
+[http] 1340213020.732963|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
+[http] 1340213021.300269|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
+[http] 1340213021.861584|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
+[packet_filter] 1465969150.903477|bro|ip or not ip|T|T
 [socks] 1340213015.276495|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|-|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688
 [tunnel] 1340213015.276495|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER
diff --git a/testing/btest/Baseline/scripts.base.files.entropy.basic/.stdout b/testing/btest/Baseline/scripts.base.files.entropy.basic/.stdout
new file mode 100644
index 0000000000..0682a357e8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.entropy.basic/.stdout
@@ -0,0 +1 @@
+[entropy=4.950189, chi_square=63750.814665, mean=80.496493, monte_carlo_pi=4.0, serial_correlation=0.395907]
diff --git a/testing/btest/Baseline/scripts.base.files.x509.1999/x509.log b/testing/btest/Baseline/scripts.base.files.x509.1999/x509.log
new file mode 100644
index 0000000000..60bd109b5d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.x509.1999/x509.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2016-04-26-19-27-59
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1461697070.246986	Feyr3x4h8S7yqikqYd	3	339D9ED8E73927C9	CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	1384251451.000000	1479427199.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	imap.gmx.net,imap.gmx.de	-	-	-	F	-
+1461697070.246986	FdSwvBrmfL9It607b	3	21B6777E8CBD0EA8	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	1362146309.000000	1562716740.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1461697070.246986	F7YtKFoAux1T0Ycb3	3	26	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	931522260.000000	1562716740.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	5
+#close	2016-04-26-19-27-59
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.windows/out b/testing/btest/Baseline/scripts.base.frameworks.input.windows/out
new file mode 100644
index 0000000000..c456298062
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.windows/out
@@ -0,0 +1,15 @@
+{
+[-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
+}
+4242
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log
new file mode 100644
index 0000000000..7fb6492f1b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log
@@ -0,0 +1,17 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2016-05-23-22-44-54
+#fields	d
+#types	double
+2153226000.0
+2153226000.1
+2153226000.123457
+1.0
+1.1
+1.123457
+1.1234
+3140000000000000.0
+#close	2016-05-23-22-44-54
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log
index 5fb6e1672a..44696eff39 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-40-57
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1315799856.264750	CXWv6p3arKYeMETxOg	10.0.1.104	64216	193.40.5.162	80	1	GET	lepo.it.da.ut.ee	/~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf	-	1.1	Wget/1.12 (darwin10.8.0)	0	346	404	Not Found	-	-	-	(empty)	-	-	-	-	-	FGNm7b3eXjhJLfvOWl	text/html
-#close	2016-01-15-18-40-57
+#open	2016-06-15-05-39-25
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1315799856.264750	CXWv6p3arKYeMETxOg	10.0.1.104	64216	193.40.5.162	80	1	GET	lepo.it.da.ut.ee	/~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf	-	1.1	Wget/1.12 (darwin10.8.0)	0	346	404	Not Found	-	-	(empty)	-	-	-	-	-	-	FGNm7b3eXjhJLfvOWl	-	text/html
+#close	2016-06-15-05-39-25
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select
index a715425ded..274fa00af4 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select
@@ -1,14 +1,14 @@
-1300475168.78402|CRJuHdVW0XPVINV8a|141.142.220.118|48649|208.80.152.118|80|1|GET|bits.wikimedia.org|/skins-1.5/monobook/main.css|http://www.wikipedia.org/|1.1|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475168.91602|CJ3xTn1c4Zw9TmAE05|141.142.220.118|49997|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/6/63/Wikipedia-logo.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475168.91618|C7XEbhP654jzLoe3a|141.142.220.118|49996|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475168.91836|C3SfNE4BWaU4aSuwkc|141.142.220.118|49998|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/b/bd/Bookshelf-40x201_6.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475168.9523|CzA03V1VcgagLjnO92|141.142.220.118|49999|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475168.95231|CyAhVIzHqb7t7kv28|141.142.220.118|50000|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475168.95482|CkDsfG2YIeWJmXWNWj|141.142.220.118|50001|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475168.96269|Cn78a440HlxuyZKs6f|141.142.220.118|35642|208.80.152.2|80|1|GET|meta.wikimedia.org|/images/wikimedia-button.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475168.97593|CJ3xTn1c4Zw9TmAE05|141.142.220.118|49997|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475168.97644|C7XEbhP654jzLoe3a|141.142.220.118|49996|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475168.97926|C3SfNE4BWaU4aSuwkc|141.142.220.118|49998|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475169.01459|CzA03V1VcgagLjnO92|141.142.220.118|49999|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475169.01462|CyAhVIzHqb7t7kv28|141.142.220.118|50000|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
-1300475169.01493|CkDsfG2YIeWJmXWNWj|141.142.220.118|50001|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||||
+1300475168.78402|CRJuHdVW0XPVINV8a|141.142.220.118|48649|208.80.152.118|80|1|GET|bits.wikimedia.org|/skins-1.5/monobook/main.css|http://www.wikipedia.org/|1.1|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475168.91602|CJ3xTn1c4Zw9TmAE05|141.142.220.118|49997|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/6/63/Wikipedia-logo.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475168.91618|C7XEbhP654jzLoe3a|141.142.220.118|49996|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475168.91836|C3SfNE4BWaU4aSuwkc|141.142.220.118|49998|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/b/bd/Bookshelf-40x201_6.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475168.9523|CzA03V1VcgagLjnO92|141.142.220.118|49999|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475168.95231|CyAhVIzHqb7t7kv28|141.142.220.118|50000|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475168.95482|CkDsfG2YIeWJmXWNWj|141.142.220.118|50001|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475168.96269|Cn78a440HlxuyZKs6f|141.142.220.118|35642|208.80.152.2|80|1|GET|meta.wikimedia.org|/images/wikimedia-button.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475168.97593|CJ3xTn1c4Zw9TmAE05|141.142.220.118|49997|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475168.97644|C7XEbhP654jzLoe3a|141.142.220.118|49996|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475168.97926|C3SfNE4BWaU4aSuwkc|141.142.220.118|49998|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475169.01459|CzA03V1VcgagLjnO92|141.142.220.118|49999|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475169.01462|CyAhVIzHqb7t7kv28|141.142.220.118|50000|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
+1300475169.01493|CkDsfG2YIeWJmXWNWj|141.142.220.118|50001|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)|||||||||
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log b/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log
index 5fb44c25ee..32e54d7ed9 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log
@@ -3,21 +3,21 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-40-59
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1300475168.784020	CRJuHdVW0XPVINV8a	141.142.220.118	48649	208.80.152.118	80	1	GET	bits.wikimedia.org	/skins-1.5/monobook/main.css	http://www.wikipedia.org/	1.1	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.916018	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/6/63/Wikipedia-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.916183	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.918358	C3SfNE4BWaU4aSuwkc	141.142.220.118	49998	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/b/bd/Bookshelf-40x201_6.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.952307	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.952296	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.954820	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.962687	Cn78a440HlxuyZKs6f	141.142.220.118	35642	208.80.152.2	80	1	GET	meta.wikimedia.org	/images/wikimedia-button.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.975934	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.976436	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475168.979264	C3SfNE4BWaU4aSuwkc	141.142.220.118	49998	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475169.014619	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475169.014593	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-1300475169.014927	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2016-01-15-18-40-59
+#open	2016-06-15-05-39-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1300475168.784020	CRJuHdVW0XPVINV8a	141.142.220.118	48649	208.80.152.118	80	1	GET	bits.wikimedia.org	/skins-1.5/monobook/main.css	http://www.wikipedia.org/	1.1	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.916018	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/6/63/Wikipedia-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.916183	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.918358	C3SfNE4BWaU4aSuwkc	141.142.220.118	49998	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/b/bd/Bookshelf-40x201_6.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.952307	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.952296	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.954820	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.962687	Cn78a440HlxuyZKs6f	141.142.220.118	35642	208.80.152.2	80	1	GET	meta.wikimedia.org	/images/wikimedia-button.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.975934	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.976436	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475168.979264	C3SfNE4BWaU4aSuwkc	141.142.220.118	49998	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475169.014619	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475169.014593	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1300475169.014927	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+#close	2016-06-15-05-39-54
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/recv.recv.out
new file mode 100644
index 0000000000..d6d5c32fb2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/recv.recv.out
@@ -0,0 +1,7 @@
+Broker::incoming_connection_established
+add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=blockhosthost, cookie=2, arg=192.168.18.50 74.125.239.97, comment=here]
+add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=droptcpport, cookie=3, arg=443, comment=there]
+add_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP, [command=nullzero, cookie=4, arg=192.168.18.50/32, comment=]
+remove_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=restorehosthost, cookie=2, arg=192.168.18.50 74.125.239.97, comment=here]
+remove_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=restoretcpport, cookie=3, arg=443, comment=there]
+remove_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP, [command=nonullzero, cookie=4, arg=192.168.18.50/32, comment=]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/send.send.out
new file mode 100644
index 0000000000..5d8cb431f4
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/send.send.out
@@ -0,0 +1,7 @@
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
+rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule removed, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/recv.recv.out
new file mode 100644
index 0000000000..f75f20ea28
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/recv.recv.out
@@ -0,0 +1,7 @@
+Broker::incoming_connection_established
+add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=blockhosthost, cookie=2, arg=192.168.18.50 74.125.239.97, comment=here]
+add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=droptcpport, cookie=3, arg=443, comment=there]
+add_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP, [command=drop, cookie=4, arg=192.168.18.50/32, comment=]
+remove_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=restorehosthost, cookie=2, arg=192.168.18.50 74.125.239.97, comment=here]
+remove_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=restoretcpport, cookie=3, arg=443, comment=there]
+remove_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP, [command=restore, cookie=4, arg=192.168.18.50/32, comment=]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
new file mode 100644
index 0000000000..5d8cb431f4
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
@@ -0,0 +1,7 @@
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
+rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule removed, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/manager-1.netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/manager-1.netcontrol.log
new file mode 100644
index 0000000000..2811185c09
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/manager-1.netcontrol.log
@@ -0,0 +1,26 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol
+#open	2016-03-09-23-10-49
+#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
+#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
+1457565049.807080	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
+1457565049.807080	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
+1457565049.807080	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+1457565051.874738	worker-1:2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	1.000000	-	Debug-All
+1457565051.874738	worker-1:3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	Debug-All
+1457565051.874738	worker-1:2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	1.000000	-	Debug-All
+1457565051.874738	worker-1:3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	Debug-All
+1457565052.874916	worker-1:2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	1.000000	-	Debug-All
+1457565052.874916	worker-1:2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	1.000000	-	Debug-All
+1457565052.874916	worker-1:3	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	Debug-All
+1457565052.874916	worker-1:3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	Debug-All
+1457565052.874916	worker-1:2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	1.000000	-	Debug-All
+1457565052.874916	worker-1:3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	Debug-All
+1457565053.950376	worker-2:2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	1.000000	-	Debug-All
+1457565053.950376	worker-2:3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	Debug-All
+1457565053.950376	worker-2:2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	1.000000	-	Debug-All
+1457565053.950376	worker-2:3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	Debug-All
+#close	2016-03-09-23-10-54
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/.stdout b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/.stdout
new file mode 100644
index 0000000000..846bb1b653
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/.stdout
@@ -0,0 +1,11 @@
+netcontrol debug (Debug-All): init
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::MONITOR, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.17.1/32, src_p=32/tcp, dst_h=192.168.17.2/32, dst_p=32/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=1.1.2.2/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=Hi there, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::WHITELIST, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=1.2.3.4/32, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, out_port=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::REDIRECT, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.17.1/32, src_p=32/tcp, dst_h=192.168.17.2/32, dst_p=32/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, out_port=5, mod=<uninitialized>, id=5, cid=5, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=127.0.0.2/32, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=6, cid=6, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::MODIFY, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=127.0.0.2/32, src_p=<uninitialized>, dst_h=8.8.8.8/32, dst_p=53/udp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, out_port=<uninitialized>, mod=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=127.0.0.3, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>, redirect_port=<uninitialized>], id=7, cid=7, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::MODIFY, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=8.8.8.8/32, src_p=53/udp, dst_h=127.0.0.2/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, out_port=<uninitialized>, mod=[src_h=8.8.8.8, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>, redirect_port=<uninitialized>], id=8, cid=8, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::WHITELIST, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=127.0.0.2/32, src_p=<uninitialized>, dst_h=127.0.0.3/32, dst_p=80/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, out_port=<uninitialized>, mod=<uninitialized>, id=9, cid=9, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::MAC, conn=<uninitialized>, flow=<uninitialized>, ip=<uninitialized>, mac=FF:FF:FF:FF:FF:FF], expire=15.0 secs, priority=0, location=<uninitialized>, out_port=<uninitialized>, mod=<uninitialized>, id=10, cid=10, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=<uninitialized>, src_m=FF:FF:FF:FF:FF:FF, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=0, location=<uninitialized>, out_port=<uninitialized>, mod=<uninitialized>, id=11, cid=11, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/netcontrol.log
new file mode 100644
index 0000000000..da4487f10f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/netcontrol.log
@@ -0,0 +1,32 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol
+#open	2016-03-09-22-21-13
+#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
+#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
+1457562073.119593	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
+1457562073.119593	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
+1457562073.119593	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+1457562073.119593	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.17.1/32/32->192.168.17.2/32/32	-	-	0	30.000000	-	Debug-All
+1457562073.119593	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	1.1.2.2/32	-	-	0	15.000000	Hi there	Debug-All
+1457562073.119593	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::ADDRESS	1.2.3.4/32	-	-	5	15.000000	-	Debug-All
+1457562073.119593	5	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	192.168.17.1/32/32->192.168.17.2/32/32	-> 5	-	0	30.000000	-	Debug-All
+1457562073.119593	6	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	127.0.0.2/32/*->*/*	-	-	0	15.000000	-	Debug-All
+1457562073.119593	7	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::MODIFY	NetControl::FORWARD	NetControl::FLOW	127.0.0.2/32/*->8.8.8.8/32/53	Src: _/_ (_) Dst: 127.0.0.3/_ (_)	-	5	15.000000	-	Debug-All
+1457562073.119593	8	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::MODIFY	NetControl::FORWARD	NetControl::FLOW	8.8.8.8/32/53->127.0.0.2/32/*	Src: 8.8.8.8/_ (_) Dst: _/_ (_)	-	5	15.000000	-	Debug-All
+1457562073.119593	9	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::FLOW	127.0.0.2/32/*->127.0.0.3/32/80	-	-	5	15.000000	-	Debug-All
+1457562073.119593	10	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::MAC	FF:FF:FF:FF:FF:FF	-	-	0	15.000000	-	Debug-All
+1457562073.119593	11	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/* (FF:FF:FF:FF:FF:FF->*)	-	-	0	15.000000	-	Debug-All
+1457562073.119593	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.17.1/32/32->192.168.17.2/32/32	-	-	0	30.000000	-	Debug-All
+1457562073.119593	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	1.1.2.2/32	-	-	0	15.000000	Hi there	Debug-All
+1457562073.119593	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::ADDRESS	1.2.3.4/32	-	-	5	15.000000	-	Debug-All
+1457562073.119593	5	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	192.168.17.1/32/32->192.168.17.2/32/32	-> 5	-	0	30.000000	-	Debug-All
+1457562073.119593	6	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	127.0.0.2/32/*->*/*	-	-	0	15.000000	-	Debug-All
+1457562073.119593	7	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::MODIFY	NetControl::FORWARD	NetControl::FLOW	127.0.0.2/32/*->8.8.8.8/32/53	Src: _/_ (_) Dst: 127.0.0.3/_ (_)	-	5	15.000000	-	Debug-All
+1457562073.119593	8	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::MODIFY	NetControl::FORWARD	NetControl::FLOW	8.8.8.8/32/53->127.0.0.2/32/*	Src: 8.8.8.8/_ (_) Dst: _/_ (_)	-	5	15.000000	-	Debug-All
+1457562073.119593	9	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::FLOW	127.0.0.2/32/*->127.0.0.3/32/80	-	-	5	15.000000	-	Debug-All
+1457562073.119593	10	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::MAC	FF:FF:FF:FF:FF:FF	-	-	0	15.000000	-	Debug-All
+1457562073.119593	11	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/* (FF:FF:FF:FF:FF:FF->*)	-	-	0	15.000000	-	Debug-All
+#close	2016-03-09-22-21-13
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/netcontrol_drop.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/netcontrol_drop.log
new file mode 100644
index 0000000000..e777e7655a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/netcontrol_drop.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol_drop
+#open	2016-02-17-20-21-38
+#fields	ts	rule_id	orig_h	orig_p	resp_h	resp_p	expire	location
+#types	time	string	addr	port	addr	port	interval	string
+1455740498.301865	3	1.1.2.2	-	-	-	15.000000	Hi there
+#close	2016-02-17-20-21-38
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/netcontrol_shunt.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/netcontrol_shunt.log
new file mode 100644
index 0000000000..2f3dc11da7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/netcontrol_shunt.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol_shunt
+#open	2016-02-17-19-21-47
+#fields	ts	rule_id	f.src_h	f.src_p	f.dst_h	f.dst_p	expire	location
+#types	time	string	addr	port	addr	port	interval	string
+1455736907.597588	2	192.168.17.1	32	192.168.17.2	32	30.000000	-
+#close	2016-02-17-19-21-47
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out
new file mode 100644
index 0000000000..74c5f3499c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out
@@ -0,0 +1,5 @@
+Broker::incoming_connection_established
+add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+add_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
+remove_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+remove_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.netcontrol.log
new file mode 100644
index 0000000000..fb1381e291
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.netcontrol.log
@@ -0,0 +1,23 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol
+#open	2016-03-08-22-15-15
+#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
+#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Broker-bro/event/netcontroltest
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	waiting for plugins to initialize	-	-	-	-
+1457475314.791475	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Broker-bro/event/netcontroltest
+1457475314.791475	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+1457475315.175411	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1457475315.175411	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1457475315.175443	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1457475315.175443	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1457475315.175443	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1457475315.175443	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1457475315.175443	2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1457475315.175443	2	NetControl::ERROR	-	-	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	Removal of non-existing rule	0	36000.000000	-	Broker-bro/event/netcontroltest
+1457475315.175443	3	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1457475315.175443	3	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	Removal of non-existing rule	0	36000.000000	-	Broker-bro/event/netcontroltest
+#close	2016-03-08-22-15-15
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out
new file mode 100644
index 0000000000..fb086ee0e7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out
@@ -0,0 +1,7 @@
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
+rule timeout, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [duration=<uninitialized>, packet_count=<uninitialized>, byte_count=<uninitialized>]
+rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule timeout, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP, [duration=<uninitialized>, packet_count=<uninitialized>, byte_count=<uninitialized>]
+rule removed, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release/netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release/netcontrol.log
new file mode 100644
index 0000000000..f3bd6fafe0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release/netcontrol.log
@@ -0,0 +1,18 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol
+#open	2016-03-09-23-42-34
+#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
+#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+1398529018.678276	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	Debug-All
+1398529018.678276	3	NetControl::RULE	-	NetControl::FAILED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	discarded duplicate insertion	0	3600.000000	Re-drop by catch-and-release	-
+1398529018.678276	4	NetControl::RULE	-	NetControl::FAILED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	discarded duplicate insertion	0	86400.000000	Re-drop by catch-and-release	-
+1398529018.678276	5	NetControl::RULE	-	NetControl::FAILED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	discarded duplicate insertion	0	604800.000000	Re-drop by catch-and-release	-
+1398529018.678276	6	NetControl::RULE	-	NetControl::FAILED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	discarded duplicate insertion	0	604800.000000	Re-drop by catch-and-release	-
+1398529018.678276	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	Debug-All
+#close	2016-03-09-23-42-34
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.delete-internal-state/.stdout b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.delete-internal-state/.stdout
new file mode 100644
index 0000000000..7d21c082f7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.delete-internal-state/.stdout
@@ -0,0 +1,19 @@
+netcontrol debug (Debug-All): init
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::MONITOR, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=56981/tcp, dst_h=74.125.239.97/32, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::WHITELIST, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=0 secs, priority=5, location=, out_port=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::REDIRECT, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=56981/tcp, dst_h=74.125.239.97/32, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=5, mod=<uninitialized>, id=5, cid=5, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): remove_rule: [ty=NetControl::DROP, target=NetControl::MONITOR, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=56981/tcp, dst_h=74.125.239.97/32, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _added=T]
+netcontrol debug (Debug-All): remove_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _added=T]
+netcontrol debug (Debug-All): remove_rule: [ty=NetControl::WHITELIST, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=0 secs, priority=5, location=, out_port=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _added=T]
+netcontrol debug (Debug-All): remove_rule: [ty=NetControl::REDIRECT, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=56981/tcp, dst_h=74.125.239.97/32, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=5, mod=<uninitialized>, id=5, cid=5, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _added=T]
+Dumping state
+{
+
+}
+{
+
+}
+{
+
+}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.duplicate/netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.duplicate/netcontrol.log
new file mode 100644
index 0000000000..780c3d9c64
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.duplicate/netcontrol.log
@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol
+#open	2016-03-09-23-06-58
+#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
+#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+1394747126.854788	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.4.149/32	-	-	0	0.000000	-	Debug-All
+1394747126.854788	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.4.149/32	-	-	0	0.000000	-	Debug-All
+1394747129.505358	3	NetControl::RULE	-	NetControl::FAILED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.4.149/32	-	discarded duplicate insertion	0	0.000000	-	-
+#close	2016-03-09-23-06-58
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.find-rules/out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.find-rules/out
new file mode 100644
index 0000000000..b29ce14d29
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.find-rules/out
@@ -0,0 +1,6 @@
+1
+[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=1.2.3.4/32, mac=<uninitialized>]
+0
+4
+[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=127.0.0.2/32, src_p=<uninitialized>, dst_h=8.8.8.8/32, dst_p=53/udp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::MODIFY
+[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=127.0.0.2/32, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.hook/netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.hook/netcontrol.log
new file mode 100644
index 0000000000..2936694e2a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.hook/netcontrol.log
@@ -0,0 +1,16 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol
+#open	2016-03-09-23-15-50
+#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
+#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+1398529018.678276	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	0.0.0.0/0/56981->74.125.239.97/32/443	-	-	0	30.000000	-	Debug-All
+1398529018.678276	5	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	0.0.0.0/0/56981->74.125.239.97/32/443	-> 5	-	0	30.000000	-	Debug-All
+1398529018.678276	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	0.0.0.0/0/56981->74.125.239.97/32/443	-	-	0	30.000000	-	Debug-All
+1398529018.678276	5	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	0.0.0.0/0/56981->74.125.239.97/32/443	-> 5	-	0	30.000000	-	Debug-All
+#close	2016-03-09-23-15-50
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.multiple/netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.multiple/netcontrol.log
new file mode 100644
index 0000000000..986c1cd5a2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.multiple/netcontrol.log
@@ -0,0 +1,49 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol
+#open	2016-03-09-23-40-32
+#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
+#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 10	-	-	-	Debug-All
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 10	-	-	-	Openflow-Log-42
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Openflow-Log-42
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Openflow-Log-42
+1398529018.678276	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	0.000000	-	Debug-All
+1398529018.678276	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	0.000000	-	Openflow-Log-42
+1398529018.678276	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	0.000000	-	Debug-All
+1398529018.678276	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	0.000000	-	Openflow-Log-42
+1398529018.678276	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	5	0.000000	-	Debug-All
+1398529018.678276	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	5	0.000000	-	Openflow-Log-42
+1398529018.678276	5	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-> 5	-	0	0.000000	-	Debug-All
+1398529018.678276	5	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-> 5	-	0	0.000000	-	Openflow-Log-42
+1398529018.678276	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	0.000000	-	Debug-All
+1398529018.678276	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	0.000000	-	Debug-All
+1398529018.678276	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	5	0.000000	-	Debug-All
+1398529018.678276	5	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-> 5	-	0	0.000000	-	Debug-All
+1398529018.678276	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	0.000000	-	Openflow-Log-42
+1398529018.678276	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	0.000000	-	Openflow-Log-42
+1398529018.678276	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	5	0.000000	-	Openflow-Log-42
+1398529018.678276	5	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-> 5	-	0	0.000000	-	Openflow-Log-42
+1398529020.091883	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	0.000000	-	Openflow-Log-42
+1398529020.091883	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	0.000000	-	Debug-All
+1398529020.091883	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	0.000000	-	Openflow-Log-42
+1398529020.091883	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	0.000000	-	Debug-All
+1398529020.091883	4	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	5	0.000000	-	Openflow-Log-42
+1398529020.091883	4	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	5	0.000000	-	Debug-All
+1398529020.091883	5	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-> 5	-	0	0.000000	-	Openflow-Log-42
+1398529020.091883	5	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-> 5	-	0	0.000000	-	Debug-All
+1398529020.091883	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	0.000000	-	Debug-All
+1398529020.091883	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	0.000000	-	Debug-All
+1398529020.091883	4	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	5	0.000000	-	Debug-All
+1398529020.091883	5	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-> 5	-	0	0.000000	-	Debug-All
+1398529020.091883	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	0.000000	-	Openflow-Log-42
+1398529020.091883	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	0.000000	-	Openflow-Log-42
+1398529020.091883	4	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	5	0.000000	-	Openflow-Log-42
+1398529020.091883	5	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-> 5	-	0	0.000000	-	Openflow-Log-42
+#close	2016-03-09-23-40-32
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.multiple/openflow.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.multiple/openflow.log
new file mode 100644
index 0000000000..ead5d70ec7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.multiple/openflow.log
@@ -0,0 +1,21 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	openflow
+#open	2016-03-09-23-40-54
+#fields	ts	dpid	match.in_port	match.dl_src	match.dl_dst	match.dl_vlan	match.dl_vlan_pcp	match.dl_type	match.nw_tos	match.nw_proto	match.nw_src	match.nw_dst	match.tp_src	match.tp_dst	flow_mod.cookie	flow_mod.table_id	flow_mod.command	flow_mod.idle_timeout	flow_mod.hard_timeout	flow_mod.priority	flow_mod.out_port	flow_mod.out_group	flow_mod.flags	flow_mod.actions.out_ports	flow_mod.actions.vlan_vid	flow_mod.actions.vlan_pcp	flow_mod.actions.vlan_strip	flow_mod.actions.dl_src	flow_mod.actions.dl_dst	flow_mod.actions.nw_tos	flow_mod.actions.nw_src	flow_mod.actions.nw_dst	flow_mod.actions.tp_src	flow_mod.actions.tp_dst
+#types	time	count	count	string	string	count	count	count	count	count	subnet	subnet	count	count	count	count	enum	count	count	count	count	count	count	vector[count]	count	count	bool	string	string	count	addr	addr	count	count
+1398529018.678276	42	-	-	-	-	-	2048	-	6	192.168.18.50/32	74.125.239.97/32	56981	443	4398046511108	-	OpenFlow::OFPFC_ADD	0	0	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+1398529018.678276	42	-	-	-	-	-	2048	-	-	192.168.18.50/32	-	-	-	4398046511110	-	OpenFlow::OFPFC_ADD	0	0	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+1398529018.678276	42	-	-	-	-	-	2048	-	-	-	192.168.18.50/32	-	-	4398046511111	-	OpenFlow::OFPFC_ADD	0	0	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+1398529018.678276	42	-	-	-	-	-	2048	-	-	192.168.18.50/32	-	-	-	4398046511112	-	OpenFlow::OFPFC_ADD	0	0	5	-	-	1	4294967290	-	-	F	-	-	-	-	-	-	-
+1398529018.678276	42	-	-	-	-	-	2048	-	-	-	192.168.18.50/32	-	-	4398046511113	-	OpenFlow::OFPFC_ADD	0	0	5	-	-	1	4294967290	-	-	F	-	-	-	-	-	-	-
+1398529018.678276	42	-	-	-	-	-	2048	-	6	192.168.18.50/32	74.125.239.97/32	56981	443	4398046511114	-	OpenFlow::OFPFC_ADD	0	0	0	-	-	1	5	-	-	F	-	-	-	-	-	-	-
+1398529020.091883	42	-	-	-	-	-	-	-	-	-	-	-	-	4398046511108	-	OpenFlow::OFPFC_DELETE	0	0	0	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+1398529020.091883	42	-	-	-	-	-	-	-	-	-	-	-	-	4398046511110	-	OpenFlow::OFPFC_DELETE	0	0	0	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+1398529020.091883	42	-	-	-	-	-	-	-	-	-	-	-	-	4398046511111	-	OpenFlow::OFPFC_DELETE	0	0	0	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+1398529020.091883	42	-	-	-	-	-	-	-	-	-	-	-	-	4398046511112	-	OpenFlow::OFPFC_DELETE	0	0	0	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+1398529020.091883	42	-	-	-	-	-	-	-	-	-	-	-	-	4398046511113	-	OpenFlow::OFPFC_DELETE	0	0	0	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+1398529020.091883	42	-	-	-	-	-	-	-	-	-	-	-	-	4398046511114	-	OpenFlow::OFPFC_DELETE	0	0	0	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+#close	2016-03-09-23-40-54
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.openflow/netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.openflow/netcontrol.log
new file mode 100644
index 0000000000..abab12a0c9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.openflow/netcontrol.log
@@ -0,0 +1,25 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol
+#open	2016-03-09-23-28-53
+#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
+#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Openflow-Log-42
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Openflow-Log-42
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Openflow-Log-42
+1254722767.875996	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	30.000000	-	Openflow-Log-42
+1254722767.875996	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	74.53.140.153/32	-	-	0	15.000000	-	Openflow-Log-42
+1254722767.875996	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	30.000000	-	Openflow-Log-42
+1254722767.875996	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	74.53.140.153/32	-	-	0	15.000000	-	Openflow-Log-42
+1437831787.861602	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.133.100/32/49648->192.168.133.102/32/25	-	-	0	30.000000	-	Openflow-Log-42
+1437831787.861602	5	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.133.102/32	-	-	0	15.000000	-	Openflow-Log-42
+1437831787.861602	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.133.100/32/49648->192.168.133.102/32/25	-	-	0	30.000000	-	Openflow-Log-42
+1437831787.861602	5	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.133.102/32	-	-	0	15.000000	-	Openflow-Log-42
+1437831799.610433	6	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.133.100/32/49655->17.167.150.73/32/443	-	-	0	30.000000	-	Openflow-Log-42
+1437831799.610433	7	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	17.167.150.73/32	-	-	0	15.000000	-	Openflow-Log-42
+1437831799.610433	6	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.133.100/32/49655->17.167.150.73/32/443	-	-	0	30.000000	-	Openflow-Log-42
+1437831799.610433	7	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	17.167.150.73/32	-	-	0	15.000000	-	Openflow-Log-42
+#close	2016-03-09-23-28-53
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.openflow/openflow.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.openflow/openflow.log
new file mode 100644
index 0000000000..6cff86bdb2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.openflow/openflow.log
@@ -0,0 +1,18 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	openflow
+#open	2016-03-09-23-28-53
+#fields	ts	dpid	match.in_port	match.dl_src	match.dl_dst	match.dl_vlan	match.dl_vlan_pcp	match.dl_type	match.nw_tos	match.nw_proto	match.nw_src	match.nw_dst	match.tp_src	match.tp_dst	flow_mod.cookie	flow_mod.table_id	flow_mod.command	flow_mod.idle_timeout	flow_mod.hard_timeout	flow_mod.priority	flow_mod.out_port	flow_mod.out_group	flow_mod.flags	flow_mod.actions.out_ports	flow_mod.actions.vlan_vid	flow_mod.actions.vlan_pcp	flow_mod.actions.vlan_strip	flow_mod.actions.dl_src	flow_mod.actions.dl_dst	flow_mod.actions.nw_tos	flow_mod.actions.nw_src	flow_mod.actions.nw_dst	flow_mod.actions.tp_src	flow_mod.actions.tp_dst
+#types	time	count	count	string	string	count	count	count	count	count	subnet	subnet	count	count	count	count	enum	count	count	count	count	count	count	vector[count]	count	count	bool	string	string	count	addr	addr	count	count
+1254722767.875996	42	-	-	-	-	-	2048	-	6	10.10.1.4/32	74.53.140.153/32	1470	25	4398046511108	-	OpenFlow::OFPFC_ADD	0	30	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+1254722767.875996	42	-	-	-	-	-	2048	-	-	74.53.140.153/32	-	-	-	4398046511110	-	OpenFlow::OFPFC_ADD	0	15	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+1254722767.875996	42	-	-	-	-	-	2048	-	-	-	74.53.140.153/32	-	-	4398046511111	-	OpenFlow::OFPFC_ADD	0	15	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+1437831787.861602	42	-	-	-	-	-	2048	-	6	192.168.133.100/32	192.168.133.102/32	49648	25	4398046511112	-	OpenFlow::OFPFC_ADD	0	30	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+1437831787.861602	42	-	-	-	-	-	2048	-	-	192.168.133.102/32	-	-	-	4398046511114	-	OpenFlow::OFPFC_ADD	0	15	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+1437831787.861602	42	-	-	-	-	-	2048	-	-	-	192.168.133.102/32	-	-	4398046511115	-	OpenFlow::OFPFC_ADD	0	15	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+1437831799.610433	42	-	-	-	-	-	2048	-	6	192.168.133.100/32	17.167.150.73/32	49655	443	4398046511116	-	OpenFlow::OFPFC_ADD	0	30	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+1437831799.610433	42	-	-	-	-	-	2048	-	-	17.167.150.73/32	-	-	-	4398046511118	-	OpenFlow::OFPFC_ADD	0	15	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+1437831799.610433	42	-	-	-	-	-	2048	-	-	-	17.167.150.73/32	-	-	4398046511119	-	OpenFlow::OFPFC_ADD	0	15	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+#close	2016-03-09-23-28-53
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log
new file mode 100644
index 0000000000..f4674275e9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log
@@ -0,0 +1,14 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2016-02-12-03-18-52
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1254722767.492060	CXWv6p3arKYeMETxOg	10.10.1.4	56166	10.10.1.1	53	udp	dns	0.034025	34	100	SF	-	-	0	Dd	1	62	1	128	(empty)
+1254722776.690444	CCvvfg3TEfuqmmG4bh	10.10.1.20	138	10.10.1.255	138	udp	-	-	-	-	S0	-	-	0	D	1	229	0	0	(empty)
+1254722767.529046	CjhGID4nQcgTWjvg4c	10.10.1.4	1470	74.53.140.153	25	tcp	-	0.346950	0	0	S1	-	-	0	Sh	1	48	1	48	(empty)
+1437831787.856895	CRJuHdVW0XPVINV8a	192.168.133.100	49648	192.168.133.102	25	tcp	-	0.004707	0	0	S1	-	-	0	Sh	1	64	1	60	(empty)
+1437831776.764391	CsRx2w45OKnoww6xl4	192.168.133.100	49285	66.196.121.26	5050	tcp	-	0.343008	41	0	OTH	-	-	0	Da	1	93	1	52	(empty)
+#close	2016-02-12-03-18-52
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.quarantine-openflow/netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.quarantine-openflow/netcontrol.log
new file mode 100644
index 0000000000..0da63fd6f5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.quarantine-openflow/netcontrol.log
@@ -0,0 +1,21 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol
+#open	2016-03-08-22-48-10
+#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
+#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Openflow-Log-42
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Openflow-Log-42
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Openflow-Log-42
+1398529018.678276	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->*/*	-	-	0	36000.000000	-	Openflow-Log-42
+1398529018.678276	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::MODIFY	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->8.8.8.8/32/53	Src: _/_ (_) Dst: 192.169.18.1/_ (_)	-	5	36000.000000	-	Openflow-Log-42
+1398529018.678276	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::MODIFY	NetControl::FORWARD	NetControl::FLOW	8.8.8.8/32/53->192.168.18.50/32/*	Src: 8.8.8.8/_ (_) Dst: _/_ (_)	-	5	36000.000000	-	Openflow-Log-42
+1398529018.678276	5	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->192.169.18.1/32/80	-	-	5	36000.000000	-	Openflow-Log-42
+1398529018.678276	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->*/*	-	-	0	36000.000000	-	Openflow-Log-42
+1398529018.678276	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::MODIFY	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->8.8.8.8/32/53	Src: _/_ (_) Dst: 192.169.18.1/_ (_)	-	5	36000.000000	-	Openflow-Log-42
+1398529018.678276	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::MODIFY	NetControl::FORWARD	NetControl::FLOW	8.8.8.8/32/53->192.168.18.50/32/*	Src: 8.8.8.8/_ (_) Dst: _/_ (_)	-	5	36000.000000	-	Openflow-Log-42
+1398529018.678276	5	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->192.169.18.1/32/80	-	-	5	36000.000000	-	Openflow-Log-42
+#close	2016-03-08-22-48-10
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.quarantine-openflow/openflow.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.quarantine-openflow/openflow.log
new file mode 100644
index 0000000000..64d6cabaf5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.quarantine-openflow/openflow.log
@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	openflow
+#open	2016-02-12-03-28-52
+#fields	ts	dpid	match.in_port	match.dl_src	match.dl_dst	match.dl_vlan	match.dl_vlan_pcp	match.dl_type	match.nw_tos	match.nw_proto	match.nw_src	match.nw_dst	match.tp_src	match.tp_dst	flow_mod.cookie	flow_mod.table_id	flow_mod.command	flow_mod.idle_timeout	flow_mod.hard_timeout	flow_mod.priority	flow_mod.out_port	flow_mod.out_group	flow_mod.flags	flow_mod.actions.out_ports	flow_mod.actions.vlan_vid	flow_mod.actions.vlan_pcp	flow_mod.actions.vlan_strip	flow_mod.actions.dl_src	flow_mod.actions.dl_dst	flow_mod.actions.nw_tos	flow_mod.actions.nw_src	flow_mod.actions.nw_dst	flow_mod.actions.tp_src	flow_mod.actions.tp_dst
+#types	time	count	count	string	string	count	count	count	count	count	subnet	subnet	count	count	count	count	enum	count	count	count	count	count	count	vector[count]	count	count	bool	string	string	count	addr	addr	count	count
+1398529018.678276	42	-	-	-	-	-	2048	-	-	192.168.18.50/32	-	-	-	4398046511108	-	OpenFlow::OFPFC_ADD	0	36000	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
+1398529018.678276	42	-	-	-	-	-	2048	-	17	192.168.18.50/32	8.8.8.8/32	-	53	4398046511110	-	OpenFlow::OFPFC_ADD	0	36000	5	-	-	1	4294967290	-	-	F	-	-	-	-	192.169.18.1	-	-
+1398529018.678276	42	-	-	-	-	-	2048	-	17	8.8.8.8/32	192.168.18.50/32	53	-	4398046511112	-	OpenFlow::OFPFC_ADD	0	36000	5	-	-	1	4294967290	-	-	F	-	-	-	8.8.8.8	-	-	-
+1398529018.678276	42	-	-	-	-	-	2048	-	6	192.168.18.50/32	192.169.18.1/32	-	80	4398046511114	-	OpenFlow::OFPFC_ADD	0	36000	5	-	-	1	4294967290	-	-	F	-	-	-	-	-	-	-
+#close	2016-02-12-03-28-52
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.timeout/netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.timeout/netcontrol.log
new file mode 100644
index 0000000000..957af822e2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.timeout/netcontrol.log
@@ -0,0 +1,17 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol
+#open	2016-03-09-23-06-49
+#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
+#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+1457564809.281931	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	Debug-All
+1457564809.281931	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	Debug-All
+1457564810.695538	2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	Debug-All
+1457564810.695538	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	Debug-All
+1457564810.695538	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	Debug-All
+#close	2016-03-09-23-06-51
diff --git a/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/recv.recv.out
new file mode 100644
index 0000000000..b1c2ed5050
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/recv.recv.out
@@ -0,0 +1,5 @@
+Broker::incoming_connection_established
+flow_clear, 42
+got flow_mod, 42, [in_port=<uninitialized>, dl_src=<uninitialized>, dl_dst=<uninitialized>, dl_vlan=<uninitialized>, dl_vlan_pcp=<uninitialized>, dl_type=<uninitialized>, nw_tos=<uninitialized>, nw_proto=<uninitialized>, nw_src=<uninitialized>, nw_dst=<uninitialized>, tp_src=<uninitialized>, tp_dst=<uninitialized>], [cookie=4398046511105, table_id=<uninitialized>, command=OpenFlow::OFPFC_ADD, idle_timeout=0, hard_timeout=0, priority=0, out_port=<uninitialized>, out_group=<uninitialized>, flags=0, actions=[out_ports=[3, 7], vlan_vid=<uninitialized>, vlan_pcp=<uninitialized>, vlan_strip=F, dl_src=<uninitialized>, dl_dst=<uninitialized>, nw_tos=<uninitialized>, nw_src=<uninitialized>, nw_dst=<uninitialized>, tp_src=<uninitialized>, tp_dst=<uninitialized>]]
+got flow_mod, 42, [in_port=<uninitialized>, dl_src=<uninitialized>, dl_dst=<uninitialized>, dl_vlan=<uninitialized>, dl_vlan_pcp=<uninitialized>, dl_type=2048, nw_tos=<uninitialized>, nw_proto=6, nw_src=10.10.1.4/32, nw_dst=74.53.140.153/32, tp_src=1470, tp_dst=25], [cookie=4398046511146, table_id=<uninitialized>, command=OpenFlow::OFPFC_ADD, idle_timeout=30, hard_timeout=0, priority=5, out_port=<uninitialized>, out_group=<uninitialized>, flags=0, actions=[out_ports=[], vlan_vid=<uninitialized>, vlan_pcp=<uninitialized>, vlan_strip=F, dl_src=<uninitialized>, dl_dst=<uninitialized>, nw_tos=<uninitialized>, nw_src=<uninitialized>, nw_dst=<uninitialized>, tp_src=<uninitialized>, tp_dst=<uninitialized>]]
+got flow_mod, 42, [in_port=<uninitialized>, dl_src=<uninitialized>, dl_dst=<uninitialized>, dl_vlan=<uninitialized>, dl_vlan_pcp=<uninitialized>, dl_type=2048, nw_tos=<uninitialized>, nw_proto=6, nw_src=74.53.140.153/32, nw_dst=10.10.1.4/32, tp_src=25, tp_dst=1470], [cookie=4398046511146, table_id=<uninitialized>, command=OpenFlow::OFPFC_ADD, idle_timeout=30, hard_timeout=0, priority=5, out_port=<uninitialized>, out_group=<uninitialized>, flags=0, actions=[out_ports=[], vlan_vid=<uninitialized>, vlan_pcp=<uninitialized>, vlan_strip=F, dl_src=<uninitialized>, dl_dst=<uninitialized>, nw_tos=<uninitialized>, nw_src=<uninitialized>, nw_dst=<uninitialized>, tp_src=<uninitialized>, tp_dst=<uninitialized>]]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/send.send.out
new file mode 100644
index 0000000000..5f4fadfb81
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/send.send.out
@@ -0,0 +1,8 @@
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Flow_mod_success
+Flow_mod_failure
+connection established
+Flow_mod_success
+Flow_mod_failure
+Flow_mod_success
+Flow_mod_failure
diff --git a/testing/btest/Baseline/scripts.base.frameworks.openflow.log-basic/openflow.log b/testing/btest/Baseline/scripts.base.frameworks.openflow.log-basic/openflow.log
new file mode 100644
index 0000000000..eed7c20caf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.openflow.log-basic/openflow.log
@@ -0,0 +1,16 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	openflow
+#open	2016-02-11-20-32-05
+#fields	ts	dpid	match.in_port	match.dl_src	match.dl_dst	match.dl_vlan	match.dl_vlan_pcp	match.dl_type	match.nw_tos	match.nw_proto	match.nw_src	match.nw_dst	match.tp_src	match.tp_dst	flow_mod.cookie	flow_mod.table_id	flow_mod.command	flow_mod.idle_timeout	flow_mod.hard_timeout	flow_mod.priority	flow_mod.out_port	flow_mod.out_group	flow_mod.flags	flow_mod.actions.out_ports	flow_mod.actions.vlan_vid	flow_mod.actions.vlan_pcp	flow_mod.actions.vlan_strip	flow_mod.actions.dl_src	flow_mod.actions.dl_dst	flow_mod.actions.nw_tos	flow_mod.actions.nw_src	flow_mod.actions.nw_dst	flow_mod.actions.tp_src	flow_mod.actions.tp_dst
+#types	time	count	count	string	string	count	count	count	count	count	subnet	subnet	count	count	count	count	enum	count	count	count	count	count	count	vector[count]	count	count	bool	string	string	count	addr	addr	count	count
+0.000000	42	-	-	-	-	-	-	-	-	-	-	-	-	4398046511105	-	OpenFlow::OFPFC_ADD	0	0	0	-	-	0	3,7	-	-	F	-	-	-	-	-	-	-
+1254722767.875996	42	-	-	-	-	-	2048	-	6	10.10.1.4/32	74.53.140.153/32	1470	25	4398046511147	-	OpenFlow::OFPFC_ADD	30	0	5	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+1254722767.875996	42	-	-	-	-	-	2048	-	6	74.53.140.153/32	10.10.1.4/32	25	1470	4398046511147	-	OpenFlow::OFPFC_ADD	30	0	5	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+1437831787.861602	42	-	-	-	-	-	2048	-	6	192.168.133.100/32	192.168.133.102/32	49648	25	4398046511148	-	OpenFlow::OFPFC_ADD	30	0	5	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+1437831787.861602	42	-	-	-	-	-	2048	-	6	192.168.133.102/32	192.168.133.100/32	25	49648	4398046511148	-	OpenFlow::OFPFC_ADD	30	0	5	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+1437831799.610433	42	-	-	-	-	-	2048	-	6	192.168.133.100/32	17.167.150.73/32	49655	443	4398046511149	-	OpenFlow::OFPFC_ADD	30	0	5	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+1437831799.610433	42	-	-	-	-	-	2048	-	6	17.167.150.73/32	192.168.133.100/32	443	49655	4398046511149	-	OpenFlow::OFPFC_ADD	30	0	5	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+#close	2016-02-11-20-32-05
diff --git a/testing/btest/Baseline/scripts.base.frameworks.openflow.log-cluster/manager-1.openflow.log b/testing/btest/Baseline/scripts.base.frameworks.openflow.log-cluster/manager-1.openflow.log
new file mode 100644
index 0000000000..a6b8e30871
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.openflow.log-cluster/manager-1.openflow.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	openflow
+#open	2016-02-11-21-06-45
+#fields	ts	dpid	match.in_port	match.dl_src	match.dl_dst	match.dl_vlan	match.dl_vlan_pcp	match.dl_type	match.nw_tos	match.nw_proto	match.nw_src	match.nw_dst	match.tp_src	match.tp_dst	flow_mod.cookie	flow_mod.table_id	flow_mod.command	flow_mod.idle_timeout	flow_mod.hard_timeout	flow_mod.priority	flow_mod.out_port	flow_mod.out_group	flow_mod.flags	flow_mod.actions.out_ports	flow_mod.actions.vlan_vid	flow_mod.actions.vlan_pcp	flow_mod.actions.vlan_strip	flow_mod.actions.dl_src	flow_mod.actions.dl_dst	flow_mod.actions.nw_tos	flow_mod.actions.nw_src	flow_mod.actions.nw_dst	flow_mod.actions.tp_src	flow_mod.actions.tp_dst
+#types	time	count	count	string	string	count	count	count	count	count	subnet	subnet	count	count	count	count	enum	count	count	count	count	count	count	vector[count]	count	count	bool	string	string	count	addr	addr	count	count
+1455224805.349129	42	-	-	-	-	-	2048	-	6	10.10.1.4/32	74.53.140.153/32	1470	25	4398046511146	-	OpenFlow::OFPFC_ADD	30	0	5	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+1455224805.349129	42	-	-	-	-	-	2048	-	6	74.53.140.153/32	10.10.1.4/32	25	1470	4398046511146	-	OpenFlow::OFPFC_ADD	30	0	5	-	-	0	(empty)	-	-	F	-	-	-	-	-	-	-
+#close	2016-02-11-21-06-46
diff --git a/testing/btest/Baseline/scripts.base.frameworks.openflow.ryu-basic/.stdout b/testing/btest/Baseline/scripts.base.frameworks.openflow.ryu-basic/.stdout
new file mode 100644
index 0000000000..f31aec1a92
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.openflow.ryu-basic/.stdout
@@ -0,0 +1,22 @@
+http://127.0.0.1:8080/stats/flowentry/clear/42
+http://127.0.0.1:8080/stats/flowentry/add
+{"match": {}, "dpid": 42, "flags": 0, "hard_timeout": 0, "priority": 0, "actions": [{"port": 3, "type": "OUTPUT"}, {"port": 7, "type": "OUTPUT"}], "cookie": 4398046511105, "idle_timeout": 0}
+Flow_mod_success
+http://127.0.0.1:8080/stats/flowentry/add
+{"match": {"tp_dst": 25, "nw_dst": "74.53.140.153/32", "nw_src": "10.10.1.4/32", "dl_type": 2048, "tp_src": 1470, "nw_proto": 6}, "dpid": 42, "flags": 0, "hard_timeout": 0, "priority": 5, "actions": [], "cookie": 4398046511146, "idle_timeout": 30}
+http://127.0.0.1:8080/stats/flowentry/add
+{"match": {"tp_dst": 1470, "nw_dst": "10.10.1.4/32", "nw_src": "74.53.140.153/32", "dl_type": 2048, "tp_src": 25, "nw_proto": 6}, "dpid": 42, "flags": 0, "hard_timeout": 0, "priority": 5, "actions": [], "cookie": 4398046511146, "idle_timeout": 30}
+Flow_mod_success
+Flow_mod_success
+http://127.0.0.1:8080/stats/flowentry/add
+{"match": {"tp_dst": 25, "nw_dst": "192.168.133.102/32", "nw_src": "192.168.133.100/32", "dl_type": 2048, "tp_src": 49648, "nw_proto": 6}, "dpid": 42, "flags": 0, "hard_timeout": 0, "priority": 5, "actions": [], "cookie": 4398046511146, "idle_timeout": 30}
+http://127.0.0.1:8080/stats/flowentry/add
+{"match": {"tp_dst": 49648, "nw_dst": "192.168.133.100/32", "nw_src": "192.168.133.102/32", "dl_type": 2048, "tp_src": 25, "nw_proto": 6}, "dpid": 42, "flags": 0, "hard_timeout": 0, "priority": 5, "actions": [], "cookie": 4398046511146, "idle_timeout": 30}
+Flow_mod_success
+Flow_mod_success
+http://127.0.0.1:8080/stats/flowentry/add
+{"match": {"tp_dst": 443, "nw_dst": "17.167.150.73/32", "nw_src": "192.168.133.100/32", "dl_type": 2048, "tp_src": 49655, "nw_proto": 6}, "dpid": 42, "flags": 0, "hard_timeout": 0, "priority": 5, "actions": [], "cookie": 4398046511146, "idle_timeout": 30}
+http://127.0.0.1:8080/stats/flowentry/add
+{"match": {"tp_dst": 49655, "nw_dst": "192.168.133.100/32", "nw_src": "17.167.150.73/32", "dl_type": 2048, "tp_src": 443, "nw_proto": 6}, "dpid": 42, "flags": 0, "hard_timeout": 0, "priority": 5, "actions": [], "cookie": 4398046511146, "idle_timeout": 30}
+Flow_mod_success
+Flow_mod_success
diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.basic/.stdout
new file mode 100644
index 0000000000..d45f9ba0d7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.arp.basic/.stdout
@@ -0,0 +1,2 @@
+78:31:c1:c6:3f:c2, ff:ff:ff:ff:ff:ff, 10.0.0.2, 78:31:c1:c6:3f:c2, 10.0.0.1, 00:00:00:00:00:00
+f8:ed:a5:c0:a4:f1, 78:31:c1:c6:3f:c2, 10.0.0.1, f8:ed:a5:c0:a4:f1, 10.0.0.2, 78:31:c1:c6:3f:c2
diff --git a/testing/btest/Baseline/scripts.base.protocols.conn.new_connection_contents/.stdout b/testing/btest/Baseline/scripts.base.protocols.conn.new_connection_contents/.stdout
new file mode 100644
index 0000000000..1581730b33
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.conn.new_connection_contents/.stdout
@@ -0,0 +1,2 @@
+new_connection_contents for [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp]
+new_connection_contents for [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.caa/.stdout b/testing/btest/Baseline/scripts.base.protocols.dns.caa/.stdout
new file mode 100644
index 0000000000..4ba72f24b4
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.caa/.stdout
@@ -0,0 +1 @@
+0, issue, symantec.com
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log
index 76e83452e5..07b8a1a8dd 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2014-01-28-14-55-04
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1359565680.761790	CXWv6p3arKYeMETxOg	192.168.6.10	53209	192.168.129.36	53	udp	41477	paypal.com	1	C_INTERNET	48	DNSKEY	0	NOERROR	F	F	T	T	1	<unknown type=48>,<unknown type=48>,<unknown type=46>,<unknown type=46>	455.000000,455.000000,455.000000,455.000000	F
-#close	2014-01-28-14-55-04
+#open	2016-06-15-04-14-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1359565680.761790	CXWv6p3arKYeMETxOg	192.168.6.10	53209	192.168.129.36	53	udp	41477	0.075138	paypal.com	1	C_INTERNET	48	DNSKEY	0	NOERROR	F	F	T	T	1	<unknown type=48>,<unknown type=48>,<unknown type=46>,<unknown type=46>	455.000000,455.000000,455.000000,455.000000	F
+#close	2016-06-15-04-14-27
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log
index 7e09f39404..050fade88a 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2015-03-19-15-44-23
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1363716396.798072	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	udp	21140	www.cmu.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	www-cmu.andrew.cmu.edu,<unknown type=46>,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
-1363716396.798374	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	udp	21140	www.cmu.edu	-	-	-	-	0	NOERROR	T	F	F	F	0	www-cmu.andrew.cmu.edu,<unknown type=46>,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
-#close	2015-03-19-15-44-23
+#open	2016-06-15-04-15-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1363716396.798072	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	udp	21140	0.000214	www.cmu.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	www-cmu.andrew.cmu.edu,<unknown type=46>,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
+1363716396.798374	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	udp	21140	-	www.cmu.edu	-	-	-	-	0	NOERROR	T	F	F	F	0	www-cmu.andrew.cmu.edu,<unknown type=46>,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
+#close	2016-06-15-04-15-06
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log
index 3a86abc5d6..3c8dbf8c32 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2015-03-19-16-50-45
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-964953086.310131	CXWv6p3arKYeMETxOg	10.20.1.31	53	207.158.192.40	53	udp	25701	us.v27.distributed.net	-	-	-	-	0	NOERROR	T	F	F	T	0	206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226	900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000	F
-#close	2015-03-19-16-50-45
+#open	2016-06-15-04-14-38
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+964953086.310131	CXWv6p3arKYeMETxOg	10.20.1.31	53	207.158.192.40	53	udp	25701	-	us.v27.distributed.net	-	-	-	-	0	NOERROR	T	F	F	T	0	206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226	900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000	F
+#close	2016-06-15-04-14-38
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.huge-ttl/.stdout b/testing/btest/Baseline/scripts.base.protocols.dns.huge-ttl/.stdout
new file mode 100644
index 0000000000..99f7325c23
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.huge-ttl/.stdout
@@ -0,0 +1,8 @@
+[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=49710.0 days 6.0 hrs 28.0 mins 15.0 secs]
+[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
+[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
+[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
+[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
+[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
+[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
+[answer_type=1, query=us.v27.distributed.net, qtype=1, qclass=1, TTL=15.0 mins]
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log
index eb95e1dcc8..9042f1bb18 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2015-03-19-15-44-24
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1398382067.286885	CXWv6p3arKYeMETxOg	192.150.187.50	51946	68.142.255.16	53	udp	28079	flkr._domainkey.flickr.com	-	-	-	-	0	NOERROR	T	F	F	F	0	fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB	900.000000,900.000000,7200.000000	F
-#close	2015-03-19-15-44-24
+#open	2016-06-15-04-15-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1398382067.286885	CXWv6p3arKYeMETxOg	192.150.187.50	51946	68.142.255.16	53	udp	28079	-	flkr._domainkey.flickr.com	-	-	-	-	0	NOERROR	T	F	F	F	0	fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB	900.000000,900.000000,7200.000000	F
+#close	2016-06-15-04-15-27
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log
index 32f9cc872f..4c21623cf6 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2013-08-26-19-04-09
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1349445121.080922	CXWv6p3arKYeMETxOg	10.0.0.64	49204	146.186.163.66	53	udp	17323	psu.edu	1	C_INTERNET	28	AAAA	0	NOERROR	F	F	T	F	0	-	-	F
-#close	2013-08-26-19-04-09
+#open	2016-06-15-04-15-39
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1349445121.080922	CXWv6p3arKYeMETxOg	10.0.0.64	49204	146.186.163.66	53	udp	17323	-	psu.edu	1	C_INTERNET	28	AAAA	0	NOERROR	F	F	T	F	0	-	-	F
+#close	2016-06-15-04-15-39
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log
new file mode 100644
index 0000000000..44502a8f62
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2016-05-28-16-43-09
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1464385864.999633	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	tcp	ftp	600.931043	41420	159830	S1	-	-	233	ShAdDa	4139	206914	4178	326799	(empty)
+#close	2016-05-28-16-43-09
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/ftp.log
new file mode 100644
index 0000000000..d596a45fee
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/ftp.log
@@ -0,0 +1,1384 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ftp
+#open	2016-05-28-16-43-08
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
+#types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
+1464385865.669674	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,251).	T	10.3.22.91	205.167.25.101	62459	-
+1464385865.846767	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720962-99999-2015.gz	-	39695	226	Transfer complete	-	-	-	-	-
+1464385866.495670	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,73).	T	10.3.22.91	205.167.25.101	60489	-
+1464385866.672718	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720962-99999-2016.gz	-	29306	226	Transfer complete	-	-	-	-	-
+1464385867.219389	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,90).	T	10.3.22.91	205.167.25.101	62810	-
+1464385867.396830	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2011/720963-99999-2011.gz	-	2847	226	Transfer complete	-	-	-	-	-
+1464385867.858678	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,218).	T	10.3.22.91	205.167.25.101	62170	-
+1464385868.035974	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720963-99999-2012.gz	-	67495	226	Transfer complete	-	-	-	-	-
+1464385868.856438	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,105).	T	10.3.22.91	205.167.25.101	61801	-
+1464385869.033277	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720963-99999-2013.gz	-	46933	226	Transfer complete	-	-	-	-	-
+1464385869.756406	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,62).	T	10.3.22.91	205.167.25.101	62526	-
+1464385869.933829	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720963-99999-2014.gz	-	70613	226	Transfer complete	-	-	-	-	-
+1464385870.746762	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,0).	T	10.3.22.91	205.167.25.101	61696	-
+1464385870.923760	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720963-99999-2015.gz	-	95986	226	Transfer complete	-	-	-	-	-
+1464385871.921551	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,57).	T	10.3.22.91	205.167.25.101	61753	-
+1464385872.098457	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720963-99999-2016.gz	-	36912	226	Transfer complete	-	-	-	-	-
+1464385872.733217	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,20).	T	10.3.22.91	205.167.25.101	62484	-
+1464385872.909883	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720964-00338-2015.gz	-	1717	226	Transfer complete	-	-	-	-	-
+1464385873.370806	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,204).	T	10.3.22.91	205.167.25.101	64204	-
+1464385873.547957	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720964-99999-2012.gz	-	55508	226	Transfer complete	-	-	-	-	-
+1464385874.274902	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,180).	T	10.3.22.91	205.167.25.101	64692	-
+1464385874.451919	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720964-99999-2013.gz	-	70316	226	Transfer complete	-	-	-	-	-
+1464385875.323814	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,64).	T	10.3.22.91	205.167.25.101	61504	-
+1464385875.523947	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720964-99999-2014.gz	-	64672	226	Transfer complete	-	-	-	-	-
+1464385876.358690	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,177).	T	10.3.22.91	205.167.25.101	62641	-
+1464385876.535680	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720964-99999-2015.gz	-	82848	226	Transfer complete	-	-	-	-	-
+1464385877.436709	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,201).	T	10.3.22.91	205.167.25.101	63689	-
+1464385877.613495	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720964-99999-2016.gz	-	31184	226	Transfer complete	-	-	-	-	-
+1464385878.248965	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,200).	T	10.3.22.91	205.167.25.101	60360	-
+1464385878.426039	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2011/720965-99999-2011.gz	-	654	226	Transfer complete	-	-	-	-	-
+1464385878.890397	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,156).	T	10.3.22.91	205.167.25.101	65180	-
+1464385879.067644	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720965-99999-2012.gz	-	81136	226	Transfer complete	-	-	-	-	-
+1464385879.982585	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,237).	T	10.3.22.91	205.167.25.101	64493	-
+1464385880.159732	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720965-99999-2015.gz	-	2248	226	Transfer complete	-	-	-	-	-
+1464385880.618255	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,126).	T	10.3.22.91	205.167.25.101	61566	-
+1464385880.795669	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720966-00339-2013.gz	-	44010	226	Transfer complete	-	-	-	-	-
+1464385881.435541	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,239).	T	10.3.22.91	205.167.25.101	62447	-
+1464385881.613061	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720966-00339-2014.gz	-	48537	226	Transfer complete	-	-	-	-	-
+1464385882.335957	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,121).	T	10.3.22.91	205.167.25.101	65401	-
+1464385882.513505	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720966-00339-2015.gz	-	56163	226	Transfer complete	-	-	-	-	-
+1464385883.241578	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,240).	T	10.3.22.91	205.167.25.101	64752	-
+1464385883.419590	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720966-00339-2016.gz	-	23859	226	Transfer complete	-	-	-	-	-
+1464385883.963266	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,198).	T	10.3.22.91	205.167.25.101	61638	-
+1464385884.140176	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2011/720966-99999-2011.gz	-	7020	226	Transfer complete	-	-	-	-	-
+1464385884.660821	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,132).	T	10.3.22.91	205.167.25.101	64644	-
+1464385884.851760	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720966-99999-2012.gz	-	55204	226	Transfer complete	-	-	-	-	-
+1464385885.651368	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,59).	T	10.3.22.91	205.167.25.101	65083	-
+1464385885.829197	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720967-00457-2015.gz	-	8384	226	Transfer complete	-	-	-	-	-
+1464385886.292540	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,30).	T	10.3.22.91	205.167.25.101	61726	-
+1464385886.469860	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720967-00457-2016.gz	-	5732	226	Transfer complete	-	-	-	-	-
+1464385886.937989	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,59).	T	10.3.22.91	205.167.25.101	62523	-
+1464385887.115352	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2011/720967-99999-2011.gz	-	1914	226	Transfer complete	-	-	-	-	-
+1464385887.588181	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,126).	T	10.3.22.91	205.167.25.101	64638	-
+1464385887.764881	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720967-99999-2012.gz	-	59436	226	Transfer complete	-	-	-	-	-
+1464385888.493844	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,158).	T	10.3.22.91	205.167.25.101	64414	-
+1464385888.671237	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720967-99999-2013.gz	-	68595	226	Transfer complete	-	-	-	-	-
+1464385889.502063	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,28).	T	10.3.22.91	205.167.25.101	65308	-
+1464385889.679443	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720967-99999-2014.gz	-	75577	226	Transfer complete	-	-	-	-	-
+1464385890.578483	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,85).	T	10.3.22.91	205.167.25.101	61269	-
+1464385890.756096	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720967-99999-2015.gz	-	63514	226	Transfer complete	-	-	-	-	-
+1464385891.567890	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,185).	T	10.3.22.91	205.167.25.101	60345	-
+1464385891.744873	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720967-99999-2016.gz	-	25874	226	Transfer complete	-	-	-	-	-
+1464385892.607316	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,24).	T	10.3.22.91	205.167.25.101	62232	-
+1464385892.784192	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2011/720968-99999-2011.gz	-	2723	226	Transfer complete	-	-	-	-	-
+1464385893.251032	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,62).	T	10.3.22.91	205.167.25.101	61758	-
+1464385893.428770	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720968-99999-2012.gz	-	56184	226	Transfer complete	-	-	-	-	-
+1464385894.150601	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,179).	T	10.3.22.91	205.167.25.101	63155	-
+1464385894.328587	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720968-99999-2013.gz	-	66668	226	Transfer complete	-	-	-	-	-
+1464385895.184230	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,147).	T	10.3.22.91	205.167.25.101	64403	-
+1464385895.384070	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720968-99999-2014.gz	-	72280	226	Transfer complete	-	-	-	-	-
+1464385896.209892	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,72).	T	10.3.22.91	205.167.25.101	63560	-
+1464385896.387139	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720968-99999-2015.gz	-	4670	226	Transfer complete	-	-	-	-	-
+1464385896.847243	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,242).	T	10.3.22.91	205.167.25.101	60146	-
+1464385897.023940	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2011/720969-99999-2011.gz	-	5660	226	Transfer complete	-	-	-	-	-
+1464385897.485048	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,149).	T	10.3.22.91	205.167.25.101	60565	-
+1464385897.662041	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720969-99999-2012.gz	-	17293	226	Transfer complete	-	-	-	-	-
+1464385898.209116	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,33).	T	10.3.22.91	205.167.25.101	65313	-
+1464385898.386376	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2011/720971-99999-2011.gz	-	5375	226	Transfer complete	-	-	-	-	-
+1464385898.850683	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,167).	T	10.3.22.91	205.167.25.101	62631	-
+1464385899.027447	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720971-99999-2012.gz	-	58542	226	Transfer complete	-	-	-	-	-
+1464385899.750811	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,1).	T	10.3.22.91	205.167.25.101	64769	-
+1464385899.927922	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720971-99999-2013.gz	-	62720	226	Transfer complete	-	-	-	-	-
+1464385900.743066	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,214).	T	10.3.22.91	205.167.25.101	64470	-
+1464385900.920496	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720971-99999-2014.gz	-	62291	226	Transfer complete	-	-	-	-	-
+1464385901.737424	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,135).	T	10.3.22.91	205.167.25.101	64135	-
+1464385901.914997	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720971-99999-2015.gz	-	61181	226	Transfer complete	-	-	-	-	-
+1464385902.721564	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,180).	T	10.3.22.91	205.167.25.101	61876	-
+1464385902.898675	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720971-99999-2016.gz	-	14004	226	Transfer complete	-	-	-	-	-
+1464385903.366492	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,161).	T	10.3.22.91	205.167.25.101	62625	-
+1464385903.543825	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2011/720972-99999-2011.gz	-	5490	226	Transfer complete	-	-	-	-	-
+1464385904.008939	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,240).	T	10.3.22.91	205.167.25.101	64496	-
+1464385904.185937	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720972-99999-2012.gz	-	64866	226	Transfer complete	-	-	-	-	-
+1464385905.047391	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,81).	T	10.3.22.91	205.167.25.101	61521	-
+1464385905.246601	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720972-99999-2013.gz	-	74637	226	Transfer complete	-	-	-	-	-
+1464385906.093213	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,143).	T	10.3.22.91	205.167.25.101	61583	-
+1464385906.270087	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720972-99999-2014.gz	-	80363	226	Transfer complete	-	-	-	-	-
+1464385907.173296	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,111).	T	10.3.22.91	205.167.25.101	60527	-
+1464385907.350977	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720972-99999-2015.gz	-	80104	226	Transfer complete	-	-	-	-	-
+1464385908.260453	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,225).	T	10.3.22.91	205.167.25.101	63969	-
+1464385908.437501	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720972-99999-2016.gz	-	32129	226	Transfer complete	-	-	-	-	-
+1464385909.076700	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,9).	T	10.3.22.91	205.167.25.101	61449	-
+1464385909.254077	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720974-00344-2013.gz	-	58428	226	Transfer complete	-	-	-	-	-
+1464385909.984440	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,255).	T	10.3.22.91	205.167.25.101	65279	-
+1464385910.161130	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720974-00344-2014.gz	-	58446	226	Transfer complete	-	-	-	-	-
+1464385910.889740	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,168).	T	10.3.22.91	205.167.25.101	60072	-
+1464385911.067378	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720974-00344-2015.gz	-	25427	226	Transfer complete	-	-	-	-	-
+1464385911.619048	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,143).	T	10.3.22.91	205.167.25.101	60559	-
+1464385911.795592	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720974-99999-2012.gz	-	51354	226	Transfer complete	-	-	-	-	-
+1464385912.516616	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,59).	T	10.3.22.91	205.167.25.101	64827	-
+1464385912.693600	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720974-99999-2015.gz	-	32601	226	Transfer complete	-	-	-	-	-
+1464385913.329654	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	226	Transfer complete	T	10.3.22.91	205.167.25.101	61799	-
+1464385914.205587	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,107).	T	10.3.22.91	205.167.25.101	63083	-
+1464385914.382841	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720976-00345-2013.gz	-	61150	226	Transfer complete	-	-	-	-	-
+1464385915.191451	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,187).	T	10.3.22.91	205.167.25.101	63931	-
+1464385915.368935	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720976-00345-2014.gz	-	60319	226	Transfer complete	-	-	-	-	-
+1464385916.183897	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,7).	T	10.3.22.91	205.167.25.101	60679	-
+1464385916.361098	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720976-00345-2015.gz	-	26945	226	Transfer complete	-	-	-	-	-
+1464385916.915441	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,136).	T	10.3.22.91	205.167.25.101	62856	-
+1464385917.092655	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720976-99999-2012.gz	-	55312	226	Transfer complete	-	-	-	-	-
+1464385917.821228	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,177).	T	10.3.22.91	205.167.25.101	65201	-
+1464385917.998246	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720976-99999-2015.gz	-	35327	226	Transfer complete	-	-	-	-	-
+1464385918.641715	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,96).	T	10.3.22.91	205.167.25.101	61024	-
+1464385918.818685	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720976-99999-2016.gz	-	25674	226	Transfer complete	-	-	-	-	-
+1464385919.370145	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,65).	T	10.3.22.91	205.167.25.101	65089	-
+1464385919.547177	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720977-99999-2013.gz	-	31564	226	Transfer complete	-	-	-	-	-
+1464385920.184446	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,241).	T	10.3.22.91	205.167.25.101	61425	-
+1464385920.361419	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720977-99999-2014.gz	-	55460	226	Transfer complete	-	-	-	-	-
+1464385921.091284	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,179).	T	10.3.22.91	205.167.25.101	64179	-
+1464385921.268299	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720977-99999-2015.gz	-	94627	226	Transfer complete	-	-	-	-	-
+1464385922.438077	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720977-99999-2016.gz	-	39065	226	Transfer complete	-	-	-	-	-
+1464385923.078201	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,217).	T	10.3.22.91	205.167.25.101	64985	-
+1464385923.255088	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720978-99999-2013.gz	-	37485	226	Transfer complete	-	-	-	-	-
+1464385923.893424	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,70).	T	10.3.22.91	205.167.25.101	64326	-
+1464385924.070553	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720978-99999-2014.gz	-	70763	226	Transfer complete	-	-	-	-	-
+1464385924.913787	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,11).	T	10.3.22.91	205.167.25.101	64523	-
+1464385925.091318	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720978-99999-2015.gz	-	89655	226	Transfer complete	-	-	-	-	-
+1464385926.046005	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,251).	T	10.3.22.91	205.167.25.101	64763	-
+1464385926.223410	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720978-99999-2016.gz	-	29268	226	Transfer complete	-	-	-	-	-
+1464385926.774138	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,239).	T	10.3.22.91	205.167.25.101	61423	-
+1464385926.951217	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720979-99999-2013.gz	-	19207	226	Transfer complete	-	-	-	-	-
+1464385927.497690	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,14).	T	10.3.22.91	205.167.25.101	63758	-
+1464385927.674515	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720979-99999-2014.gz	-	62119	226	Transfer complete	-	-	-	-	-
+1464385928.490803	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,211).	T	10.3.22.91	205.167.25.101	63699	-
+1464385928.667466	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720979-99999-2015.gz	-	95927	226	Transfer complete	-	-	-	-	-
+1464385929.656761	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,120).	T	10.3.22.91	205.167.25.101	60024	-
+1464385929.834202	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720979-99999-2016.gz	-	39478	226	Transfer complete	-	-	-	-	-
+1464385930.468043	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,195).	T	10.3.22.91	205.167.25.101	60099	-
+1464385930.645140	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720981-99999-2013.gz	-	9279	226	Transfer complete	-	-	-	-	-
+1464385931.113004	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,118).	T	10.3.22.91	205.167.25.101	60790	-
+1464385931.290094	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720981-99999-2014.gz	-	76185	226	Transfer complete	-	-	-	-	-
+1464385932.196772	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,8).	T	10.3.22.91	205.167.25.101	64520	-
+1464385932.374025	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720981-99999-2015.gz	-	97290	226	Transfer complete	-	-	-	-	-
+1464385933.370629	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,181).	T	10.3.22.91	205.167.25.101	61621	-
+1464385933.547489	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720981-99999-2016.gz	-	38948	226	Transfer complete	-	-	-	-	-
+1464385934.271216	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,166).	T	10.3.22.91	205.167.25.101	62374	-
+1464385934.448828	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720982-99999-2013.gz	-	207	226	Transfer complete	-	-	-	-	-
+1464385934.900278	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,24).	T	10.3.22.91	205.167.25.101	65048	-
+1464385935.077495	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720982-99999-2014.gz	-	47215	226	Transfer complete	-	-	-	-	-
+1464385935.804636	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,151).	T	10.3.22.91	205.167.25.101	60055	-
+1464385935.982112	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720982-99999-2015.gz	-	96203	226	Transfer complete	-	-	-	-	-
+1464385936.969561	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,80).	T	10.3.22.91	205.167.25.101	63824	-
+1464385937.146669	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720982-99999-2016.gz	-	38911	226	Transfer complete	-	-	-	-	-
+1464385937.784381	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,25).	T	10.3.22.91	205.167.25.101	64793	-
+1464385937.961553	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720983-99999-2014.gz	-	4688	226	Transfer complete	-	-	-	-	-
+1464385938.426344	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,224).	T	10.3.22.91	205.167.25.101	60128	-
+1464385938.603611	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720983-99999-2015.gz	-	96155	226	Transfer complete	-	-	-	-	-
+1464385939.584466	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,127).	T	10.3.22.91	205.167.25.101	64383	-
+1464385939.761551	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720983-99999-2016.gz	-	38740	226	Transfer complete	-	-	-	-	-
+1464385940.403045	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,86).	T	10.3.22.91	205.167.25.101	64086	-
+1464385940.579930	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720984-99999-2014.gz	-	43135	226	Transfer complete	-	-	-	-	-
+1464385941.225017	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,231).	T	10.3.22.91	205.167.25.101	61927	-
+1464385941.402313	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720984-99999-2015.gz	-	92926	226	Transfer complete	-	-	-	-	-
+1464385942.392176	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,236).	T	10.3.22.91	205.167.25.101	61932	-
+1464385942.569771	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720984-99999-2016.gz	-	29572	226	Transfer complete	-	-	-	-	-
+1464385943.126298	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,18).	T	10.3.22.91	205.167.25.101	62482	-
+1464385943.303753	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720985-99999-2013.gz	-	10557	226	Transfer complete	-	-	-	-	-
+1464385943.772212	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,143).	T	10.3.22.91	205.167.25.101	62607	-
+1464385943.949368	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720985-99999-2014.gz	-	4900	226	Transfer complete	-	-	-	-	-
+1464385944.414065	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,21).	T	10.3.22.91	205.167.25.101	64789	-
+1464385944.592077	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720985-99999-2015.gz	-	92236	226	Transfer complete	-	-	-	-	-
+1464385945.560218	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,196).	T	10.3.22.91	205.167.25.101	62148	-
+1464385945.737838	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720985-99999-2016.gz	-	38529	226	Transfer complete	-	-	-	-	-
+1464385946.376956	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,143).	T	10.3.22.91	205.167.25.101	63631	-
+1464385946.554067	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720986-99999-2013.gz	-	13247	226	Transfer complete	-	-	-	-	-
+1464385947.015474	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,87).	T	10.3.22.91	205.167.25.101	64343	-
+1464385947.192074	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720986-99999-2014.gz	-	45564	226	Transfer complete	-	-	-	-	-
+1464385947.922430	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,85).	T	10.3.22.91	205.167.25.101	63573	-
+1464385948.099615	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720986-99999-2015.gz	-	96030	226	Transfer complete	-	-	-	-	-
+1464385949.092101	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,68).	T	10.3.22.91	205.167.25.101	62276	-
+1464385949.269184	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720986-99999-2016.gz	-	38166	226	Transfer complete	-	-	-	-	-
+1464385949.901294	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,47).	T	10.3.22.91	205.167.25.101	62767	-
+1464385950.078625	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720987-99999-2013.gz	-	11019	226	Transfer complete	-	-	-	-	-
+1464385950.537550	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,47).	T	10.3.22.91	205.167.25.101	63023	-
+1464385950.714653	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720987-99999-2014.gz	-	76795	226	Transfer complete	-	-	-	-	-
+1464385951.560910	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,140).	T	10.3.22.91	205.167.25.101	61068	-
+1464385951.737842	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720987-99999-2015.gz	-	94041	226	Transfer complete	-	-	-	-	-
+1464385952.729965	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,60).	T	10.3.22.91	205.167.25.101	61756	-
+1464385952.906829	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720987-99999-2016.gz	-	38521	226	Transfer complete	-	-	-	-	-
+1464385953.547406	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,44).	T	10.3.22.91	205.167.25.101	62252	-
+1464385953.724608	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720988-99999-2014.gz	-	4645	226	Transfer complete	-	-	-	-	-
+1464385954.188776	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,27).	T	10.3.22.91	205.167.25.101	62491	-
+1464385954.366216	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720988-99999-2015.gz	-	94845	226	Transfer complete	-	-	-	-	-
+1464385955.361373	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,234).	T	10.3.22.91	205.167.25.101	65514	-
+1464385955.538398	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720988-99999-2016.gz	-	38730	226	Transfer complete	-	-	-	-	-
+1464385956.181694	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,1).	T	10.3.22.91	205.167.25.101	60417	-
+1464385956.358882	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720989-99999-2014.gz	-	4641	226	Transfer complete	-	-	-	-	-
+1464385956.907709	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,52).	T	10.3.22.91	205.167.25.101	62516	-
+1464385957.085005	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720989-99999-2015.gz	-	77719	226	Transfer complete	-	-	-	-	-
+1464385957.983158	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,175).	T	10.3.22.91	205.167.25.101	60079	-
+1464385958.160405	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720989-99999-2016.gz	-	39118	226	Transfer complete	-	-	-	-	-
+1464385958.798648	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,23).	T	10.3.22.91	205.167.25.101	61207	-
+1464385958.975829	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720991-99999-2012.gz	-	84	226	Transfer complete	-	-	-	-	-
+1464385959.423882	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,61).	T	10.3.22.91	205.167.25.101	61501	-
+1464385959.601071	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720991-99999-2013.gz	-	102	226	Transfer complete	-	-	-	-	-
+1464385960.051109	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,4).	T	10.3.22.91	205.167.25.101	61700	-
+1464385960.228071	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720991-99999-2014.gz	-	14486	226	Transfer complete	-	-	-	-	-
+1464385960.689169	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,93).	T	10.3.22.91	205.167.25.101	63581	-
+1464385960.865922	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720991-99999-2015.gz	-	96701	226	Transfer complete	-	-	-	-	-
+1464385961.857759	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,87).	T	10.3.22.91	205.167.25.101	61015	-
+1464385962.034785	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720991-99999-2016.gz	-	39225	226	Transfer complete	-	-	-	-	-
+1464385962.671015	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,60).	T	10.3.22.91	205.167.25.101	61756	-
+1464385962.847804	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720992-99999-2014.gz	-	4732	226	Transfer complete	-	-	-	-	-
+1464385963.309375	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,174).	T	10.3.22.91	205.167.25.101	61870	-
+1464385963.486817	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720992-99999-2015.gz	-	97056	226	Transfer complete	-	-	-	-	-
+1464385964.468282	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,113).	T	10.3.22.91	205.167.25.101	60273	-
+1464385964.645361	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720992-99999-2016.gz	-	39342	226	Transfer complete	-	-	-	-	-
+1464385965.286227	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,188).	T	10.3.22.91	205.167.25.101	61884	-
+1464385965.462922	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720993-99999-2013.gz	-	13276	226	Transfer complete	-	-	-	-	-
+1464385965.932333	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,47).	T	10.3.22.91	205.167.25.101	60719	-
+1464385966.109636	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720993-99999-2014.gz	-	31670	226	Transfer complete	-	-	-	-	-
+1464385966.746655	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,103).	T	10.3.22.91	205.167.25.101	64359	-
+1464385966.923927	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720993-99999-2015.gz	-	95956	226	Transfer complete	-	-	-	-	-
+1464385967.917939	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,68).	T	10.3.22.91	205.167.25.101	63812	-
+1464385968.094772	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720993-99999-2016.gz	-	39342	226	Transfer complete	-	-	-	-	-
+1464385968.737682	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,187).	T	10.3.22.91	205.167.25.101	62651	-
+1464385968.914629	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720994-99999-2013.gz	-	4286	226	Transfer complete	-	-	-	-	-
+1464385969.381059	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,122).	T	10.3.22.91	205.167.25.101	61306	-
+1464385969.558137	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720994-99999-2014.gz	-	55449	226	Transfer complete	-	-	-	-	-
+1464385970.279084	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,212).	T	10.3.22.91	205.167.25.101	60884	-
+1464385970.455735	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720994-99999-2015.gz	-	96712	226	Transfer complete	-	-	-	-	-
+1464385971.459612	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,210).	T	10.3.22.91	205.167.25.101	61906	-
+1464385971.637123	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720994-99999-2016.gz	-	39273	226	Transfer complete	-	-	-	-	-
+1464385972.275878	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,223).	T	10.3.22.91	205.167.25.101	63455	-
+1464385972.452864	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720995-99999-2012.gz	-	16519	226	Transfer complete	-	-	-	-	-
+1464385973.005973	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,3).	T	10.3.22.91	205.167.25.101	64515	-
+1464385973.183561	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720995-99999-2013.gz	-	38866	226	Transfer complete	-	-	-	-	-
+1464385973.825455	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,43).	T	10.3.22.91	205.167.25.101	60715	-
+1464385974.002533	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720995-99999-2014.gz	-	68132	226	Transfer complete	-	-	-	-	-
+1464385974.873368	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,54).	T	10.3.22.91	205.167.25.101	61494	-
+1464385975.074383	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720995-99999-2015.gz	-	94582	226	Transfer complete	-	-	-	-	-
+1464385976.119646	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,73).	T	10.3.22.91	205.167.25.101	61257	-
+1464385976.296744	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720995-99999-2016.gz	-	39007	226	Transfer complete	-	-	-	-	-
+1464385976.928802	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,250).	T	10.3.22.91	205.167.25.101	63482	-
+1464385977.105543	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720996-99999-2012.gz	-	45774	226	Transfer complete	-	-	-	-	-
+1464385977.832019	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,6).	T	10.3.22.91	205.167.25.101	64518	-
+1464385978.009419	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720996-99999-2013.gz	-	54732	226	Transfer complete	-	-	-	-	-
+1464385978.728653	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,117).	T	10.3.22.91	205.167.25.101	62325	-
+1464385978.905573	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720996-99999-2014.gz	-	59022	226	Transfer complete	-	-	-	-	-
+1464385979.726077	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,214).	T	10.3.22.91	205.167.25.101	65238	-
+1464385979.903626	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720996-99999-2015.gz	-	96902	226	Transfer complete	-	-	-	-	-
+1464385980.898268	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,52).	T	10.3.22.91	205.167.25.101	61236	-
+1464385981.075570	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720996-99999-2016.gz	-	39296	226	Transfer complete	-	-	-	-	-
+1464385981.713419	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,49).	T	10.3.22.91	205.167.25.101	64817	-
+1464385981.890247	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720997-99999-2013.gz	-	15507	226	Transfer complete	-	-	-	-	-
+1464385982.453453	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,194).	T	10.3.22.91	205.167.25.101	65218	-
+1464385982.630670	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720997-99999-2014.gz	-	72359	226	Transfer complete	-	-	-	-	-
+1464385983.447198	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,213).	T	10.3.22.91	205.167.25.101	61653	-
+1464385983.624718	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720997-99999-2015.gz	-	96484	226	Transfer complete	-	-	-	-	-
+1464385984.621718	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,103).	T	10.3.22.91	205.167.25.101	61799	-
+1464385984.799440	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720997-99999-2016.gz	-	38975	226	Transfer complete	-	-	-	-	-
+1464385985.438092	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,17).	T	10.3.22.91	205.167.25.101	65297	-
+1464385985.615330	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720998-99999-2012.gz	-	4395	226	Transfer complete	-	-	-	-	-
+1464385986.082552	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,140).	T	10.3.22.91	205.167.25.101	62860	-
+1464385986.260091	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720998-99999-2013.gz	-	13961	226	Transfer complete	-	-	-	-	-
+1464385986.719609	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,68).	T	10.3.22.91	205.167.25.101	63300	-
+1464385986.896578	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720998-99999-2014.gz	-	58602	226	Transfer complete	-	-	-	-	-
+1464385987.627733	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,22).	T	10.3.22.91	205.167.25.101	61462	-
+1464385987.804984	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720998-99999-2015.gz	-	83431	226	Transfer complete	-	-	-	-	-
+1464385988.710314	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,235).	T	10.3.22.91	205.167.25.101	60907	-
+1464385988.887635	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720998-99999-2016.gz	-	38882	226	Transfer complete	-	-	-	-	-
+1464385989.531559	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,59).	T	10.3.22.91	205.167.25.101	64315	-
+1464385989.708803	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/720999-99999-2012.gz	-	25050	226	Transfer complete	-	-	-	-	-
+1464385990.259700	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,242).	T	10.3.22.91	205.167.25.101	63218	-
+1464385990.437284	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/720999-99999-2013.gz	-	35642	226	Transfer complete	-	-	-	-	-
+1464385991.073852	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,57).	T	10.3.22.91	205.167.25.101	62777	-
+1464385991.251065	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/720999-99999-2014.gz	-	62099	226	Transfer complete	-	-	-	-	-
+1464385992.059553	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,77).	T	10.3.22.91	205.167.25.101	64589	-
+1464385992.236956	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/720999-99999-2015.gz	-	93403	226	Transfer complete	-	-	-	-	-
+1464385993.227089	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,79).	T	10.3.22.91	205.167.25.101	65103	-
+1464385993.404766	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/720999-99999-2016.gz	-	38264	226	Transfer complete	-	-	-	-	-
+1464385994.040559	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,9).	T	10.3.22.91	205.167.25.101	63497	-
+1464385994.218069	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721001-99999-2013.gz	-	15083	226	Transfer complete	-	-	-	-	-
+1464385994.767346	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,181).	T	10.3.22.91	205.167.25.101	63413	-
+1464385994.944306	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721001-99999-2014.gz	-	77476	226	Transfer complete	-	-	-	-	-
+1464385995.846484	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,148).	T	10.3.22.91	205.167.25.101	63380	-
+1464385996.023948	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721001-99999-2015.gz	-	62930	226	Transfer complete	-	-	-	-	-
+1464385996.845183	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,198).	T	10.3.22.91	205.167.25.101	60614	-
+1464385997.022084	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721002-99999-2013.gz	-	14161	226	Transfer complete	-	-	-	-	-
+1464385997.909660	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,208).	T	10.3.22.91	205.167.25.101	64720	-
+1464385998.086127	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721002-99999-2014.gz	-	46291	226	Transfer complete	-	-	-	-	-
+1464385998.815341	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,8).	T	10.3.22.91	205.167.25.101	64264	-
+1464385998.992671	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721002-99999-2015.gz	-	81001	226	Transfer complete	-	-	-	-	-
+1464385999.889725	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,56).	T	10.3.22.91	205.167.25.101	62520	-
+1464386000.066779	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721002-99999-2016.gz	-	35287	226	Transfer complete	-	-	-	-	-
+1464386000.707625	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,177).	T	10.3.22.91	205.167.25.101	62641	-
+1464386000.884657	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721003-99999-2012.gz	-	21039	226	Transfer complete	-	-	-	-	-
+1464386001.449969	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,13).	T	10.3.22.91	205.167.25.101	63245	-
+1464386001.627179	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721003-99999-2013.gz	-	50785	226	Transfer complete	-	-	-	-	-
+1464386002.356095	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,3).	T	10.3.22.91	205.167.25.101	63235	-
+1464386002.533225	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721003-99999-2014.gz	-	74836	226	Transfer complete	-	-	-	-	-
+1464386003.437802	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,135).	T	10.3.22.91	205.167.25.101	64135	-
+1464386003.614759	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721003-99999-2015.gz	-	96322	226	Transfer complete	-	-	-	-	-
+1464386004.611652	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,246).	T	10.3.22.91	205.167.25.101	64502	-
+1464386004.788472	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721003-99999-2016.gz	-	38739	226	Transfer complete	-	-	-	-	-
+1464386005.429034	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,254).	T	10.3.22.91	205.167.25.101	61182	-
+1464386005.606399	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721004-99999-2012.gz	-	33005	226	Transfer complete	-	-	-	-	-
+1464386006.241506	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,143).	T	10.3.22.91	205.167.25.101	63119	-
+1464386006.418636	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721004-99999-2013.gz	-	43647	226	Transfer complete	-	-	-	-	-
+1464386007.057923	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,109).	T	10.3.22.91	205.167.25.101	61293	-
+1464386007.235113	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721004-99999-2014.gz	-	53028	226	Transfer complete	-	-	-	-	-
+1464386007.959997	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,214).	T	10.3.22.91	205.167.25.101	60886	-
+1464386008.136359	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721004-99999-2015.gz	-	92201	226	Transfer complete	-	-	-	-	-
+1464386009.132249	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,99).	T	10.3.22.91	205.167.25.101	64355	-
+1464386009.309452	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721004-99999-2016.gz	-	37255	226	Transfer complete	-	-	-	-	-
+1464386009.941333	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,160).	T	10.3.22.91	205.167.25.101	60576	-
+1464386010.118266	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721005-99999-2012.gz	-	12783	226	Transfer complete	-	-	-	-	-
+1464386010.582944	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,153).	T	10.3.22.91	205.167.25.101	60569	-
+1464386010.760132	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721005-99999-2013.gz	-	55075	226	Transfer complete	-	-	-	-	-
+1464386011.584921	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,57).	T	10.3.22.91	205.167.25.101	60473	-
+1464386011.762130	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721005-99999-2014.gz	-	41761	226	Transfer complete	-	-	-	-	-
+1464386012.407685	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,167).	T	10.3.22.91	205.167.25.101	62375	-
+1464386012.584695	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721005-99999-2015.gz	-	91189	226	Transfer complete	-	-	-	-	-
+1464386013.489738	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,171).	T	10.3.22.91	205.167.25.101	60331	-
+1464386013.666662	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721006-99999-2012.gz	-	24691	226	Transfer complete	-	-	-	-	-
+1464386014.230867	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,102).	T	10.3.22.91	205.167.25.101	63334	-
+1464386014.429809	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721006-99999-2013.gz	-	16443	226	Transfer complete	-	-	-	-	-
+1464386015.030070	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,237).	T	10.3.22.91	205.167.25.101	60141	-
+1464386015.230925	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721006-99999-2014.gz	-	52409	226	Transfer complete	-	-	-	-	-
+1464386015.991201	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,98).	T	10.3.22.91	205.167.25.101	61794	-
+1464386016.168238	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721006-99999-2015.gz	-	89378	226	Transfer complete	-	-	-	-	-
+1464386017.071399	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,241).	T	10.3.22.91	205.167.25.101	64241	-
+1464386017.248336	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721006-99999-2016.gz	-	33923	226	Transfer complete	-	-	-	-	-
+1464386017.890380	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,201).	T	10.3.22.91	205.167.25.101	64457	-
+1464386018.067218	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721007-99999-2012.gz	-	16221	226	Transfer complete	-	-	-	-	-
+1464386018.621861	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,245).	T	10.3.22.91	205.167.25.101	65013	-
+1464386018.799048	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721007-99999-2013.gz	-	16229	226	Transfer complete	-	-	-	-	-
+1464386019.351196	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,43).	T	10.3.22.91	205.167.25.101	61483	-
+1464386019.528630	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721007-99999-2014.gz	-	56455	226	Transfer complete	-	-	-	-	-
+1464386020.256195	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,23).	T	10.3.22.91	205.167.25.101	63511	-
+1464386020.433295	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721007-99999-2015.gz	-	93952	226	Transfer complete	-	-	-	-	-
+1464386021.421695	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,69).	T	10.3.22.91	205.167.25.101	64581	-
+1464386021.598378	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721007-99999-2016.gz	-	38709	226	Transfer complete	-	-	-	-	-
+1464386022.245402	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,213).	T	10.3.22.91	205.167.25.101	64981	-
+1464386022.422681	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721008-99999-2012.gz	-	28627	226	Transfer complete	-	-	-	-	-
+1464386022.968649	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,206).	T	10.3.22.91	205.167.25.101	61390	-
+1464386023.146114	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721008-99999-2013.gz	-	32885	226	Transfer complete	-	-	-	-	-
+1464386023.780092	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,218).	T	10.3.22.91	205.167.25.101	62426	-
+1464386023.957211	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721008-99999-2014.gz	-	22251	226	Transfer complete	-	-	-	-	-
+1464386024.506339	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,156).	T	10.3.22.91	205.167.25.101	60060	-
+1464386024.683641	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721008-99999-2015.gz	-	54050	226	Transfer complete	-	-	-	-	-
+1464386025.406875	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,159).	T	10.3.22.91	205.167.25.101	60575	-
+1464386025.584161	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721008-99999-2016.gz	-	35061	226	Transfer complete	-	-	-	-	-
+1464386026.225078	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,228).	T	10.3.22.91	205.167.25.101	61156	-
+1464386026.402374	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721009-99999-2013.gz	-	11335	226	Transfer complete	-	-	-	-	-
+1464386026.859439	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,116).	T	10.3.22.91	205.167.25.101	62580	-
+1464386027.036678	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721009-99999-2014.gz	-	44455	226	Transfer complete	-	-	-	-	-
+1464386027.762951	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,240).	T	10.3.22.91	205.167.25.101	63216	-
+1464386027.939961	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721009-99999-2015.gz	-	96313	226	Transfer complete	-	-	-	-	-
+1464386028.923908	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,145).	T	10.3.22.91	205.167.25.101	64401	-
+1464386029.100930	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721009-99999-2016.gz	-	39125	226	Transfer complete	-	-	-	-	-
+1464386029.746684	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,121).	T	10.3.22.91	205.167.25.101	60281	-
+1464386029.924034	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721011-99999-2014.gz	-	9760	226	Transfer complete	-	-	-	-	-
+1464386030.386720	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,121).	T	10.3.22.91	205.167.25.101	61817	-
+1464386030.563689	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721011-99999-2015.gz	-	94391	226	Transfer complete	-	-	-	-	-
+1464386031.554763	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,137).	T	10.3.22.91	205.167.25.101	63369	-
+1464386031.731737	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721011-99999-2016.gz	-	38866	226	Transfer complete	-	-	-	-	-
+1464386032.382351	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,23).	T	10.3.22.91	205.167.25.101	61463	-
+1464386032.559410	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721012-99999-2012.gz	-	4723	226	Transfer complete	-	-	-	-	-
+1464386033.019543	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,168).	T	10.3.22.91	205.167.25.101	64936	-
+1464386033.196825	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721012-99999-2013.gz	-	42789	226	Transfer complete	-	-	-	-	-
+1464386034.084202	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,151).	T	10.3.22.91	205.167.25.101	64663	-
+1464386034.261649	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721012-99999-2014.gz	-	40062	226	Transfer complete	-	-	-	-	-
+1464386034.895559	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,142).	T	10.3.22.91	205.167.25.101	62350	-
+1464386035.072164	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721012-99999-2015.gz	-	95235	226	Transfer complete	-	-	-	-	-
+1464386036.055665	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,13).	T	10.3.22.91	205.167.25.101	63757	-
+1464386036.232886	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721012-99999-2016.gz	-	38942	226	Transfer complete	-	-	-	-	-
+1464386037.072080	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,216).	T	10.3.22.91	205.167.25.101	65240	-
+1464386037.249109	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721013-99999-2012.gz	-	11565	226	Transfer complete	-	-	-	-	-
+1464386037.725150	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,199).	T	10.3.22.91	205.167.25.101	62919	-
+1464386037.902140	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721013-99999-2013.gz	-	37065	226	Transfer complete	-	-	-	-	-
+1464386038.541760	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,230).	T	10.3.22.91	205.167.25.101	64230	-
+1464386038.718916	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721013-99999-2014.gz	-	59979	226	Transfer complete	-	-	-	-	-
+1464386039.449190	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,128).	T	10.3.22.91	205.167.25.101	62080	-
+1464386039.626142	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721013-99999-2015.gz	-	79512	226	Transfer complete	-	-	-	-	-
+1464386040.444029	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,19).	T	10.3.22.91	205.167.25.101	63251	-
+1464386040.621082	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721013-99999-2016.gz	-	38091	226	Transfer complete	-	-	-	-	-
+1464386041.262057	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,77).	T	10.3.22.91	205.167.25.101	62029	-
+1464386041.438632	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721014-99999-2012.gz	-	4549	226	Transfer complete	-	-	-	-	-
+1464386041.892894	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,14).	T	10.3.22.91	205.167.25.101	62222	-
+1464386042.069956	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721014-99999-2013.gz	-	54070	226	Transfer complete	-	-	-	-	-
+1464386042.711957	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,22).	T	10.3.22.91	205.167.25.101	65046	-
+1464386042.889048	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721014-99999-2014.gz	-	79947	226	Transfer complete	-	-	-	-	-
+1464386043.608433	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,63).	T	10.3.22.91	205.167.25.101	60735	-
+1464386043.785059	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721014-99999-2015.gz	-	97170	226	Transfer complete	-	-	-	-	-
+1464386044.596930	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,216).	T	10.3.22.91	205.167.25.101	61144	-
+1464386044.774064	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721014-99999-2016.gz	-	39089	226	Transfer complete	-	-	-	-	-
+1464386045.414686	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,12).	T	10.3.22.91	205.167.25.101	64524	-
+1464386045.591577	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721015-99999-2012.gz	-	2988	226	Transfer complete	-	-	-	-	-
+1464386046.055501	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,11).	T	10.3.22.91	205.167.25.101	62219	-
+1464386046.232860	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721015-99999-2013.gz	-	25839	226	Transfer complete	-	-	-	-	-
+1464386046.789881	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,143).	T	10.3.22.91	205.167.25.101	64655	-
+1464386046.966690	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721015-99999-2014.gz	-	46807	226	Transfer complete	-	-	-	-	-
+1464386047.599625	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,82).	T	10.3.22.91	205.167.25.101	63570	-
+1464386047.776728	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721015-99999-2015.gz	-	95110	226	Transfer complete	-	-	-	-	-
+1464386048.586748	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,225).	T	10.3.22.91	205.167.25.101	61665	-
+1464386048.764427	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721015-99999-2016.gz	-	34076	226	Transfer complete	-	-	-	-	-
+1464386049.404715	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,94).	T	10.3.22.91	205.167.25.101	60510	-
+1464386049.581552	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721016-99999-2012.gz	-	1632	226	Transfer complete	-	-	-	-	-
+1464386050.046208	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,46).	T	10.3.22.91	205.167.25.101	60462	-
+1464386050.223812	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721016-99999-2013.gz	-	34039	226	Transfer complete	-	-	-	-	-
+1464386050.940946	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,30).	T	10.3.22.91	205.167.25.101	61726	-
+1464386051.117981	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721016-99999-2014.gz	-	82787	226	Transfer complete	-	-	-	-	-
+1464386051.932289	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,158).	T	10.3.22.91	205.167.25.101	61086	-
+1464386052.109444	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721016-99999-2015.gz	-	81322	226	Transfer complete	-	-	-	-	-
+1464386052.928376	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,178).	T	10.3.22.91	205.167.25.101	61618	-
+1464386053.105263	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721016-99999-2016.gz	-	30133	226	Transfer complete	-	-	-	-	-
+1464386053.656259	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,50).	T	10.3.22.91	205.167.25.101	64306	-
+1464386053.833639	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721017-99999-2012.gz	-	5021	226	Transfer complete	-	-	-	-	-
+1464386054.295337	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,47).	T	10.3.22.91	205.167.25.101	64303	-
+1464386054.472642	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721017-99999-2013.gz	-	40069	226	Transfer complete	-	-	-	-	-
+1464386055.124506	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,69).	T	10.3.22.91	205.167.25.101	60485	-
+1464386055.301897	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721017-99999-2014.gz	-	54954	226	Transfer complete	-	-	-	-	-
+1464386056.026576	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,75).	T	10.3.22.91	205.167.25.101	64587	-
+1464386056.204073	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721017-99999-2015.gz	-	95620	226	Transfer complete	-	-	-	-	-
+1464386057.016962	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,169).	T	10.3.22.91	205.167.25.101	60585	-
+1464386057.194806	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721017-99999-2016.gz	-	36267	226	Transfer complete	-	-	-	-	-
+1464386057.828931	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,111).	T	10.3.22.91	205.167.25.101	63855	-
+1464386058.006338	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721018-99999-2012.gz	-	20932	226	Transfer complete	-	-	-	-	-
+1464386058.545962	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,100).	T	10.3.22.91	205.167.25.101	60516	-
+1464386058.723019	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721018-99999-2013.gz	-	50021	226	Transfer complete	-	-	-	-	-
+1464386059.449165	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,242).	T	10.3.22.91	205.167.25.101	65522	-
+1464386059.625773	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721018-99999-2014.gz	-	48579	226	Transfer complete	-	-	-	-	-
+1464386060.257140	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,8).	T	10.3.22.91	205.167.25.101	62984	-
+1464386060.434938	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721018-99999-2015.gz	-	97896	226	Transfer complete	-	-	-	-	-
+1464386061.252237	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,147).	T	10.3.22.91	205.167.25.101	62867	-
+1464386061.429397	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721018-99999-2016.gz	-	39365	226	Transfer complete	-	-	-	-	-
+1464386062.064399	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,1).	T	10.3.22.91	205.167.25.101	63745	-
+1464386062.241379	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721019-99999-2012.gz	-	15517	226	Transfer complete	-	-	-	-	-
+1464386062.787834	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,225).	T	10.3.22.91	205.167.25.101	62689	-
+1464386062.965017	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721019-99999-2013.gz	-	15450	226	Transfer complete	-	-	-	-	-
+1464386063.521979	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,91).	T	10.3.22.91	205.167.25.101	60251	-
+1464386063.698654	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721019-99999-2014.gz	-	78562	226	Transfer complete	-	-	-	-	-
+1464386064.514296	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,232).	T	10.3.22.91	205.167.25.101	62440	-
+1464386064.692279	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721019-99999-2015.gz	-	95714	226	Transfer complete	-	-	-	-	-
+1464386065.509477	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,1).	T	10.3.22.91	205.167.25.101	64769	-
+1464386065.687458	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721019-99999-2016.gz	-	37912	226	Transfer complete	-	-	-	-	-
+1464386066.322058	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,15).	T	10.3.22.91	205.167.25.101	63503	-
+1464386066.498839	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721021-99999-2012.gz	-	9112	226	Transfer complete	-	-	-	-	-
+1464386066.964024	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,214).	T	10.3.22.91	205.167.25.101	64470	-
+1464386067.140861	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721021-99999-2013.gz	-	47625	226	Transfer complete	-	-	-	-	-
+1464386067.786716	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,16).	T	10.3.22.91	205.167.25.101	61456	-
+1464386067.963701	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721021-99999-2014.gz	-	38112	226	Transfer complete	-	-	-	-	-
+1464386068.606276	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,38).	T	10.3.22.91	205.167.25.101	63014	-
+1464386068.783321	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721021-99999-2015.gz	-	91137	226	Transfer complete	-	-	-	-	-
+1464386069.595725	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,182).	T	10.3.22.91	205.167.25.101	65206	-
+1464386069.772902	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721021-99999-2016.gz	-	31137	226	Transfer complete	-	-	-	-	-
+1464386070.320641	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,137).	T	10.3.22.91	205.167.25.101	62601	-
+1464386070.497538	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721022-99999-2012.gz	-	13399	226	Transfer complete	-	-	-	-	-
+1464386070.968548	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,52).	T	10.3.22.91	205.167.25.101	62004	-
+1464386071.145781	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721022-99999-2013.gz	-	44844	226	Transfer complete	-	-	-	-	-
+1464386071.781972	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,195).	T	10.3.22.91	205.167.25.101	61891	-
+1464386071.958941	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721022-99999-2014.gz	-	77977	226	Transfer complete	-	-	-	-	-
+1464386072.866598	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,25).	T	10.3.22.91	205.167.25.101	61721	-
+1464386073.043641	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721022-99999-2015.gz	-	95101	226	Transfer complete	-	-	-	-	-
+1464386073.855660	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,136).	T	10.3.22.91	205.167.25.101	60040	-
+1464386074.032576	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721022-99999-2016.gz	-	38787	226	Transfer complete	-	-	-	-	-
+1464386074.846499	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,69).	T	10.3.22.91	205.167.25.101	63557	-
+1464386075.023694	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721023-99999-2012.gz	-	8646	226	Transfer complete	-	-	-	-	-
+1464386075.472261	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,24).	T	10.3.22.91	205.167.25.101	62232	-
+1464386075.649215	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721023-99999-2013.gz	-	59127	226	Transfer complete	-	-	-	-	-
+1464386076.375596	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,86).	T	10.3.22.91	205.167.25.101	60502	-
+1464386076.552395	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721023-99999-2014.gz	-	70160	226	Transfer complete	-	-	-	-	-
+1464386077.273819	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,3).	T	10.3.22.91	205.167.25.101	65283	-
+1464386077.450990	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721023-99999-2015.gz	-	97092	226	Transfer complete	-	-	-	-	-
+1464386078.369196	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,87).	T	10.3.22.91	205.167.25.101	63319	-
+1464386078.546153	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721023-99999-2016.gz	-	31538	226	Transfer complete	-	-	-	-	-
+1464386079.097176	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,169).	T	10.3.22.91	205.167.25.101	62121	-
+1464386079.274079	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721024-99999-2012.gz	-	10148	226	Transfer complete	-	-	-	-	-
+1464386079.741795	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,54).	T	10.3.22.91	205.167.25.101	64054	-
+1464386079.918886	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721024-99999-2013.gz	-	4866	226	Transfer complete	-	-	-	-	-
+1464386080.385643	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,135).	T	10.3.22.91	205.167.25.101	62087	-
+1464386080.563103	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721024-99999-2014.gz	-	59331	226	Transfer complete	-	-	-	-	-
+1464386081.296175	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,143).	T	10.3.22.91	205.167.25.101	62607	-
+1464386081.473157	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721024-99999-2015.gz	-	95009	226	Transfer complete	-	-	-	-	-
+1464386082.375963	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,131).	T	10.3.22.91	205.167.25.101	63107	-
+1464386082.552860	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721024-99999-2016.gz	-	37514	226	Transfer complete	-	-	-	-	-
+1464386083.192341	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,209).	T	10.3.22.91	205.167.25.101	62673	-
+1464386083.368960	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721025-99999-2012.gz	-	6344	226	Transfer complete	-	-	-	-	-
+1464386083.831147	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,0).	T	10.3.22.91	205.167.25.101	60928	-
+1464386084.007897	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721025-99999-2013.gz	-	38321	226	Transfer complete	-	-	-	-	-
+1464386084.645421	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,136).	T	10.3.22.91	205.167.25.101	63624	-
+1464386084.822464	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721025-99999-2014.gz	-	71621	226	Transfer complete	-	-	-	-	-
+1464386085.577725	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,197).	T	10.3.22.91	205.167.25.101	62661	-
+1464386085.755664	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721025-99999-2015.gz	-	95410	226	Transfer complete	-	-	-	-	-
+1464386086.564703	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,168).	T	10.3.22.91	205.167.25.101	63912	-
+1464386086.742081	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721025-99999-2016.gz	-	37492	226	Transfer complete	-	-	-	-	-
+1464386087.381942	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,28).	T	10.3.22.91	205.167.25.101	60956	-
+1464386087.559085	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721026-99999-2012.gz	-	11618	226	Transfer complete	-	-	-	-	-
+1464386088.018524	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,199).	T	10.3.22.91	205.167.25.101	60871	-
+1464386088.195663	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721026-99999-2013.gz	-	56418	226	Transfer complete	-	-	-	-	-
+1464386088.922040	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,138).	T	10.3.22.91	205.167.25.101	61066	-
+1464386089.098569	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2014/721026-99999-2014.gz	-	66162	226	Transfer complete	-	-	-	-	-
+1464386089.830651	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,24).	T	10.3.22.91	205.167.25.101	61208	-
+1464386090.007754	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2015/721026-99999-2015.gz	-	97213	226	Transfer complete	-	-	-	-	-
+1464386090.819751	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,80).	T	10.3.22.91	205.167.25.101	63312	-
+1464386090.996369	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2016/721026-99999-2016.gz	-	30908	226	Transfer complete	-	-	-	-	-
+1464386091.536822	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,140).	T	10.3.22.91	205.167.25.101	60300	-
+1464386091.713888	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721027-99999-2012.gz	-	47845	226	Transfer complete	-	-	-	-	-
+1464386092.349327	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,199).	T	10.3.22.91	205.167.25.101	64711	-
+1464386092.526250	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721027-99999-2013.gz	-	18154	226	Transfer complete	-	-	-	-	-
+1464386093.071650	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,40).	T	10.3.22.91	205.167.25.101	62248	-
+1464386093.248719	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2012/721028-99999-2012.gz	-	134	226	Transfer complete	-	-	-	-	-
+1464386093.695938	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,61).	T	10.3.22.91	205.167.25.101	61757	-
+1464386093.872924	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/2013/721028-99999-2013.gz	-	37552	226	Transfer complete	-	-	-	-	-
+1464386094.513460	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,239).	T	10.3.22.91	205.167.25.101	62191	-
+1464386094.691203	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/isd-lite/721028-99999-2014.gz	-	74539	226	Transfer complete	-	-	-	-	-
+1464386095.490373	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,224).	T	10.3.22.91	205.167.25.101	61920	-
+1464386095.689530	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721028-99999-2015.gz	-	75961	226	Transfer complete	-	-	-	-	-
+1464386096.511326	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,102).	T	10.3.22.91	205.167.25.101	64358	-
+1464386096.688313	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721028-99999-2016.gz	-	31278	226	Transfer complete	-	-	-	-	-
+1464386097.244244	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,195).	T	10.3.22.91	205.167.25.101	64195	-
+1464386097.421503	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721029-00347-2013.gz	-	73381	226	Transfer complete	-	-	-	-	-
+1464386098.150056	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,68).	T	10.3.22.91	205.167.25.101	63812	-
+1464386098.327126	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721029-00347-2014.gz	-	77827	226	Transfer complete	-	-	-	-	-
+1464386099.141676	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,129).	T	10.3.22.91	205.167.25.101	60545	-
+1464386099.318374	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721029-00347-2015.gz	-	73783	226	Transfer complete	-	-	-	-	-
+1464386100.040817	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,235).	T	10.3.22.91	205.167.25.101	64235	-
+1464386100.217843	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721029-00347-2016.gz	-	31844	226	Transfer complete	-	-	-	-	-
+1464386100.766377	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,138).	T	10.3.22.91	205.167.25.101	61834	-
+1464386100.944285	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721029-99999-2012.gz	-	43992	226	Transfer complete	-	-	-	-	-
+1464386102.382137	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,58).	T	10.3.22.91	205.167.25.101	62778	-
+1464386102.559351	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721029-99999-2015.gz	-	1859	226	Transfer complete	-	-	-	-	-
+1464386103.020423	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,226).	T	10.3.22.91	205.167.25.101	64738	-
+1464386103.197332	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721031-00348-2013.gz	-	59158	226	Transfer complete	-	-	-	-	-
+1464386103.921992	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,142).	T	10.3.22.91	205.167.25.101	61582	-
+1464386104.099462	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721031-00348-2014.gz	-	59631	226	Transfer complete	-	-	-	-	-
+1464386104.821061	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,146).	T	10.3.22.91	205.167.25.101	60562	-
+1464386104.997797	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721031-00348-2015.gz	-	56722	226	Transfer complete	-	-	-	-	-
+1464386105.808393	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,141).	T	10.3.22.91	205.167.25.101	61325	-
+1464386105.985189	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721031-00348-2016.gz	-	24481	226	Transfer complete	-	-	-	-	-
+1464386106.531277	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,198).	T	10.3.22.91	205.167.25.101	60102	-
+1464386106.708560	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721031-99999-2012.gz	-	42410	226	Transfer complete	-	-	-	-	-
+1464386107.390001	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,186).	T	10.3.22.91	205.167.25.101	62650	-
+1464386107.566655	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721032-99999-2012.gz	-	42801	226	Transfer complete	-	-	-	-	-
+1464386108.199446	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,188).	T	10.3.22.91	205.167.25.101	63932	-
+1464386108.376268	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721032-99999-2013.gz	-	22024	226	Transfer complete	-	-	-	-	-
+1464386108.934798	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,234).	T	10.3.22.91	205.167.25.101	63210	-
+1464386109.111948	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721033-00350-2013.gz	-	67793	226	Transfer complete	-	-	-	-	-
+1464386109.835945	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,44).	T	10.3.22.91	205.167.25.101	65324	-
+1464386110.012927	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721033-00350-2014.gz	-	72888	226	Transfer complete	-	-	-	-	-
+1464386110.734262	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,93).	T	10.3.22.91	205.167.25.101	64861	-
+1464386110.911243	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721033-00350-2015.gz	-	72838	226	Transfer complete	-	-	-	-	-
+1464386111.644000	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,115).	T	10.3.22.91	205.167.25.101	61299	-
+1464386111.820940	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721033-00350-2016.gz	-	30522	226	Transfer complete	-	-	-	-	-
+1464386112.377346	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,243).	T	10.3.22.91	205.167.25.101	62451	-
+1464386112.554303	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721033-99999-2012.gz	-	29894	226	Transfer complete	-	-	-	-	-
+1464386113.101125	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,6).	T	10.3.22.91	205.167.25.101	63238	-
+1464386113.278511	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721034-00351-2013.gz	-	72484	226	Transfer complete	-	-	-	-	-
+1464386114.006853	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,47).	T	10.3.22.91	205.167.25.101	62255	-
+1464386114.183834	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721034-00351-2014.gz	-	76858	226	Transfer complete	-	-	-	-	-
+1464386114.987758	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,91).	T	10.3.22.91	205.167.25.101	63323	-
+1464386115.164840	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721034-00351-2015.gz	-	76682	226	Transfer complete	-	-	-	-	-
+1464386115.887061	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,48).	T	10.3.22.91	205.167.25.101	64304	-
+1464386116.064284	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721034-00351-2016.gz	-	31702	226	Transfer complete	-	-	-	-	-
+1464386116.617585	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,231).	T	10.3.22.91	205.167.25.101	63463	-
+1464386116.794726	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721034-99999-2012.gz	-	40661	226	Transfer complete	-	-	-	-	-
+1464386117.429907	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,173).	T	10.3.22.91	205.167.25.101	61101	-
+1464386117.607058	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721035-00352-2013.gz	-	66895	226	Transfer complete	-	-	-	-	-
+1464386118.329561	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,93).	T	10.3.22.91	205.167.25.101	64605	-
+1464386118.506641	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721035-00352-2014.gz	-	63174	226	Transfer complete	-	-	-	-	-
+1464386119.226077	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,176).	T	10.3.22.91	205.167.25.101	62640	-
+1464386119.402969	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721035-00352-2015.gz	-	31879	226	Transfer complete	-	-	-	-	-
+1464386119.947894	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,117).	T	10.3.22.91	205.167.25.101	63349	-
+1464386120.124829	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721035-99999-2012.gz	-	26698	226	Transfer complete	-	-	-	-	-
+1464386120.667961	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,155).	T	10.3.22.91	205.167.25.101	60827	-
+1464386120.845050	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721035-99999-2015.gz	-	39316	226	Transfer complete	-	-	-	-	-
+1464386121.485680	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,64).	T	10.3.22.91	205.167.25.101	64832	-
+1464386121.662339	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721035-99999-2016.gz	-	30420	226	Transfer complete	-	-	-	-	-
+1464386122.204019	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,246).	T	10.3.22.91	205.167.25.101	65270	-
+1464386122.380724	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721036-00353-2013.gz	-	48710	226	Transfer complete	-	-	-	-	-
+1464386123.121375	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,162).	T	10.3.22.91	205.167.25.101	65186	-
+1464386123.298575	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721036-00353-2014.gz	-	62748	226	Transfer complete	-	-	-	-	-
+1464386124.032430	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,5).	T	10.3.22.91	205.167.25.101	63493	-
+1464386124.209153	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721036-00353-2015.gz	-	32045	226	Transfer complete	-	-	-	-	-
+1464386124.764743	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	226	Transfer complete	T	10.3.22.91	205.167.25.101	63547	-
+1464386125.402972	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,36).	T	10.3.22.91	205.167.25.101	60196	-
+1464386125.580473	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721036-99999-2012.gz	-	20649	226	Transfer complete	-	-	-	-	-
+1464386126.167145	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,242).	T	10.3.22.91	205.167.25.101	62194	-
+1464386126.344161	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721036-99999-2015.gz	-	14947	226	Transfer complete	-	-	-	-	-
+1464386126.901443	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,101).	T	10.3.22.91	205.167.25.101	65381	-
+1464386127.077787	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721037-99999-2013.gz	-	77	226	Transfer complete	-	-	-	-	-
+1464386127.526130	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,255).	T	10.3.22.91	205.167.25.101	62975	-
+1464386127.702959	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721037-99999-2016.gz	-	64	226	Transfer complete	-	-	-	-	-
+1464386128.152024	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,213).	T	10.3.22.91	205.167.25.101	61397	-
+1464386128.328839	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721038-99999-2013.gz	-	66	226	Transfer complete	-	-	-	-	-
+1464386128.775767	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,245).	T	10.3.22.91	205.167.25.101	61429	-
+1464386128.952733	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721038-99999-2015.gz	-	65	226	Transfer complete	-	-	-	-	-
+1464386129.419307	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,49).	T	10.3.22.91	205.167.25.101	63537	-
+1464386129.595708	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721041-99999-2012.gz	-	12992	226	Transfer complete	-	-	-	-	-
+1464386130.055019	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,3).	T	10.3.22.91	205.167.25.101	62723	-
+1464386130.232182	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721041-99999-2013.gz	-	58699	226	Transfer complete	-	-	-	-	-
+1464386130.957512	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,91).	T	10.3.22.91	205.167.25.101	61531	-
+1464386131.134676	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721041-99999-2014.gz	-	58029	226	Transfer complete	-	-	-	-	-
+1464386131.867379	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,237).	T	10.3.22.91	205.167.25.101	60653	-
+1464386132.044548	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721041-99999-2015.gz	-	57989	226	Transfer complete	-	-	-	-	-
+1464386132.677060	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,193).	T	10.3.22.91	205.167.25.101	61121	-
+1464386132.853772	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721041-99999-2016.gz	-	24927	226	Transfer complete	-	-	-	-	-
+1464386133.404194	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,230).	T	10.3.22.91	205.167.25.101	64742	-
+1464386133.581006	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721042-00486-2013.gz	-	57878	226	Transfer complete	-	-	-	-	-
+1464386134.314169	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,27).	T	10.3.22.91	205.167.25.101	60443	-
+1464386134.491624	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721042-00486-2014.gz	-	50195	226	Transfer complete	-	-	-	-	-
+1464386135.136313	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,31).	T	10.3.22.91	205.167.25.101	60447	-
+1464386135.313105	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721042-00486-2015.gz	-	30678	226	Transfer complete	-	-	-	-	-
+1464386135.868152	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,90).	T	10.3.22.91	205.167.25.101	60506	-
+1464386136.046049	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721042-00486-2016.gz	-	31765	226	Transfer complete	-	-	-	-	-
+1464386136.601192	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,174).	T	10.3.22.91	205.167.25.101	62894	-
+1464386136.777678	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721042-99999-2012.gz	-	20108	226	Transfer complete	-	-	-	-	-
+1464386137.324780	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,197).	T	10.3.22.91	205.167.25.101	63685	-
+1464386137.501350	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721043-99999-2012.gz	-	22050	226	Transfer complete	-	-	-	-	-
+1464386138.065317	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,42).	T	10.3.22.91	205.167.25.101	62762	-
+1464386138.242597	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721043-99999-2013.gz	-	57560	226	Transfer complete	-	-	-	-	-
+1464386138.972715	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,10).	T	10.3.22.91	205.167.25.101	60682	-
+1464386139.151468	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721043-99999-2014.gz	-	57389	226	Transfer complete	-	-	-	-	-
+1464386139.878304	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,246).	T	10.3.22.91	205.167.25.101	62454	-
+1464386140.055980	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721043-99999-2015.gz	-	56240	226	Transfer complete	-	-	-	-	-
+1464386140.792041	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,19).	T	10.3.22.91	205.167.25.101	60691	-
+1464386140.969513	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721043-99999-2016.gz	-	24003	226	Transfer complete	-	-	-	-	-
+1464386141.524957	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,88).	T	10.3.22.91	205.167.25.101	61784	-
+1464386141.702204	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721044-99999-2012.gz	-	24048	226	Transfer complete	-	-	-	-	-
+1464386142.251123	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,84).	T	10.3.22.91	205.167.25.101	61524	-
+1464386142.429502	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721044-99999-2013.gz	-	72915	226	Transfer complete	-	-	-	-	-
+1464386143.158347	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,99).	T	10.3.22.91	205.167.25.101	63331	-
+1464386143.335538	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721044-99999-2014.gz	-	77564	226	Transfer complete	-	-	-	-	-
+1464386144.064341	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,109).	T	10.3.22.91	205.167.25.101	65133	-
+1464386144.243776	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721044-99999-2015.gz	-	77056	226	Transfer complete	-	-	-	-	-
+1464386144.984327	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,144).	T	10.3.22.91	205.167.25.101	62352	-
+1464386145.168635	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721044-99999-2016.gz	-	-	226	Transfer complete	-	-	-	-	-
+1464386145.744036	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,164).	T	10.3.22.91	205.167.25.101	62628	-
+1464386145.924423	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721045-00354-2015.gz	-	33592	226	Transfer complete	-	-	-	-	-
+1464386146.596666	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,101).	T	10.3.22.91	205.167.25.101	64869	-
+1464386146.778122	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721045-00354-2016.gz	-	22501	226	Transfer complete	-	-	-	-	-
+1464386147.336998	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,51).	T	10.3.22.91	205.167.25.101	62003	-
+1464386147.520233	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721045-99999-2012.gz	-	22021	226	Transfer complete	-	-	-	-	-
+1464386148.097086	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,170).	T	10.3.22.91	205.167.25.101	60586	-
+1464386148.282208	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721045-99999-2013.gz	-	59274	226	Transfer complete	-	-	-	-	-
+1464386149.046334	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,161).	T	10.3.22.91	205.167.25.101	62881	-
+1464386149.230439	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721045-99999-2014.gz	-	58820	226	Transfer complete	-	-	-	-	-
+1464386149.988992	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,248).	T	10.3.22.91	205.167.25.101	62200	-
+1464386150.176810	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721045-99999-2015.gz	-	25746	226	Transfer complete	-	-	-	-	-
+1464386150.761671	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,60).	T	10.3.22.91	205.167.25.101	62780	-
+1464386150.950580	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721046-99999-2012.gz	-	19255	226	Transfer complete	-	-	-	-	-
+1464386151.539887	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,8).	T	10.3.22.91	205.167.25.101	62728	-
+1464386151.733578	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721046-99999-2013.gz	-	67082	226	Transfer complete	-	-	-	-	-
+1464386152.519757	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,151).	T	10.3.22.91	205.167.25.101	65175	-
+1464386152.714437	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721046-99999-2014.gz	-	71590	226	Transfer complete	-	-	-	-	-
+1464386153.523220	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,178).	T	10.3.22.91	205.167.25.101	64178	-
+1464386153.725759	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721046-99999-2015.gz	-	72396	226	Transfer complete	-	-	-	-	-
+1464386154.467287	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,157).	T	10.3.22.91	205.167.25.101	64157	-
+1464386154.652499	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721046-99999-2016.gz	-	30561	226	Transfer complete	-	-	-	-	-
+1464386155.396203	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,202).	T	10.3.22.91	205.167.25.101	63178	-
+1464386155.585224	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/721047-99999-2012.gz	-	13833	226	Transfer complete	-	-	-	-	-
+1464386156.067036	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,182).	T	10.3.22.91	205.167.25.101	61366	-
+1464386156.247860	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721048-00471-2015.gz	-	1793	226	Transfer complete	-	-	-	-	-
+1464386156.719652	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,250).	T	10.3.22.91	205.167.25.101	60154	-
+1464386156.899977	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/721048-99999-2013.gz	-	31629	226	Transfer complete	-	-	-	-	-
+1464386157.479677	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,88).	T	10.3.22.91	205.167.25.101	63832	-
+1464386157.657982	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/721048-99999-2014.gz	-	76343	226	Transfer complete	-	-	-	-	-
+1464386158.405913	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,24).	T	10.3.22.91	205.167.25.101	62488	-
+1464386158.585830	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/721048-99999-2015.gz	-	70968	226	Transfer complete	-	-	-	-	-
+1464386159.336274	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,128).	T	10.3.22.91	205.167.25.101	64896	-
+1464386159.521792	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/721048-99999-2016.gz	-	28522	226	Transfer complete	-	-	-	-	-
+1464386160.087564	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,19).	T	10.3.22.91	205.167.25.101	64275	-
+1464386160.271009	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2006/722003-54930-2006.gz	-	60799	226	Transfer complete	-	-	-	-	-
+1464386161.046682	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,215).	T	10.3.22.91	205.167.25.101	62935	-
+1464386161.232624	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2007/722003-54930-2007.gz	-	63484	226	Transfer complete	-	-	-	-	-
+1464386161.992270	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,123).	T	10.3.22.91	205.167.25.101	65403	-
+1464386162.172178	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722003-54930-2008.gz	-	64998	226	Transfer complete	-	-	-	-	-
+1464386162.919959	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,195).	T	10.3.22.91	205.167.25.101	61635	-
+1464386163.099464	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2009/722003-54930-2009.gz	-	80015	226	Transfer complete	-	-	-	-	-
+1464386163.945690	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,157).	T	10.3.22.91	205.167.25.101	61085	-
+1464386164.125872	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2010/722003-54930-2010.gz	-	69658	226	Transfer complete	-	-	-	-	-
+1464386164.888644	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,166).	T	10.3.22.91	205.167.25.101	62630	-
+1464386165.074067	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2011/722003-54930-2011.gz	-	79998	226	Transfer complete	-	-	-	-	-
+1464386165.962802	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,110).	T	10.3.22.91	205.167.25.101	62318	-
+1464386166.144171	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/722003-54930-2012.gz	-	80332	226	Transfer complete	-	-	-	-	-
+1464386166.977659	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,52).	T	10.3.22.91	205.167.25.101	63540	-
+1464386167.162651	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/722003-54930-2013.gz	-	78824	226	Transfer complete	-	-	-	-	-
+1464386167.930141	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,89).	T	10.3.22.91	205.167.25.101	63321	-
+1464386168.117619	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/722003-54930-2014.gz	-	79568	226	Transfer complete	-	-	-	-	-
+1464386168.893474	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,102).	T	10.3.22.91	205.167.25.101	64102	-
+1464386169.071957	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/722003-54930-2015.gz	-	75611	226	Transfer complete	-	-	-	-	-
+1464386169.818062	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,41).	T	10.3.22.91	205.167.25.101	65065	-
+1464386170.003127	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/722003-54930-2016.gz	-	32136	226	Transfer complete	-	-	-	-	-
+1464386170.674807	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,190).	T	10.3.22.91	205.167.25.101	61118	-
+1464386170.862318	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1988/722003-99999-1988.gz	-	613	226	Transfer complete	-	-	-	-	-
+1464386171.379685	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,213).	T	10.3.22.91	205.167.25.101	63701	-
+1464386171.569829	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2005/722003-99999-2005.gz	-	28357	226	Transfer complete	-	-	-	-	-
+1464386172.173672	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,187).	T	10.3.22.91	205.167.25.101	61883	-
+1464386172.364763	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2006/722004-54922-2006.gz	-	61842	226	Transfer complete	-	-	-	-	-
+1464386173.108189	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,2).	T	10.3.22.91	205.167.25.101	63746	-
+1464386173.292556	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2007/722004-54922-2007.gz	-	62844	226	Transfer complete	-	-	-	-	-
+1464386174.053105	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,59).	T	10.3.22.91	205.167.25.101	63035	-
+1464386174.229433	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722004-54922-2008.gz	-	65524	226	Transfer complete	-	-	-	-	-
+1464386175.015077	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,142).	T	10.3.22.91	205.167.25.101	63886	-
+1464386175.215920	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2009/722004-54922-2009.gz	-	80200	226	Transfer complete	-	-	-	-	-
+1464386176.064476	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,77).	T	10.3.22.91	205.167.25.101	64333	-
+1464386176.241471	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2010/722004-54922-2010.gz	-	79304	226	Transfer complete	-	-	-	-	-
+1464386177.060410	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,221).	T	10.3.22.91	205.167.25.101	60381	-
+1464386177.237384	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2011/722004-54922-2011.gz	-	71428	226	Transfer complete	-	-	-	-	-
+1464386177.969191	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,136).	T	10.3.22.91	205.167.25.101	60552	-
+1464386178.146122	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/722004-54922-2012.gz	-	61534	226	Transfer complete	-	-	-	-	-
+1464386178.872431	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,139).	T	10.3.22.91	205.167.25.101	61579	-
+1464386179.049210	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/722004-54922-2013.gz	-	58327	226	Transfer complete	-	-	-	-	-
+1464386179.780064	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,134).	T	10.3.22.91	205.167.25.101	63110	-
+1464386179.956783	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/722004-54922-2014.gz	-	63924	226	Transfer complete	-	-	-	-	-
+1464386180.685049	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,32).	T	10.3.22.91	205.167.25.101	60192	-
+1464386180.862014	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/722004-54922-2015.gz	-	63526	226	Transfer complete	-	-	-	-	-
+1464386181.587636	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,63).	T	10.3.22.91	205.167.25.101	60223	-
+1464386181.764393	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/722004-54922-2016.gz	-	25908	226	Transfer complete	-	-	-	-	-
+1464386182.320229	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,36).	T	10.3.22.91	205.167.25.101	61732	-
+1464386182.497508	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2005/722004-99999-2005.gz	-	26733	226	Transfer complete	-	-	-	-	-
+1464386183.053559	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,139).	T	10.3.22.91	205.167.25.101	63371	-
+1464386183.232376	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2005/722005-99999-2005.gz	-	9251	226	Transfer complete	-	-	-	-	-
+1464386183.705954	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,150).	T	10.3.22.91	205.167.25.101	61590	-
+1464386183.883075	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722005-99999-2008.gz	-	333	226	Transfer complete	-	-	-	-	-
+1464386184.330891	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,191).	T	10.3.22.91	205.167.25.101	61887	-
+1464386184.507759	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2006/722006-54926-2006.gz	-	62704	226	Transfer complete	-	-	-	-	-
+1464386185.505350	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,228).	T	10.3.22.91	205.167.25.101	61668	-
+1464386185.682562	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2007/722006-54926-2007.gz	-	63086	226	Transfer complete	-	-	-	-	-
+1464386186.410489	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,78).	T	10.3.22.91	205.167.25.101	64078	-
+1464386186.587241	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722006-54926-2008.gz	-	62981	226	Transfer complete	-	-	-	-	-
+1464386187.314483	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,65).	T	10.3.22.91	205.167.25.101	61249	-
+1464386187.491490	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2009/722006-54926-2009.gz	-	62067	226	Transfer complete	-	-	-	-	-
+1464386188.213735	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,248).	T	10.3.22.91	205.167.25.101	60408	-
+1464386188.390650	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2010/722006-54926-2010.gz	-	61156	226	Transfer complete	-	-	-	-	-
+1464386189.117130	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,39).	T	10.3.22.91	205.167.25.101	61479	-
+1464386189.294190	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2011/722006-54926-2011.gz	-	62658	226	Transfer complete	-	-	-	-	-
+1464386190.026161	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,189).	T	10.3.22.91	205.167.25.101	61117	-
+1464386190.203216	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/722006-54926-2012.gz	-	63256	226	Transfer complete	-	-	-	-	-
+1464386190.935444	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,92).	T	10.3.22.91	205.167.25.101	62044	-
+1464386191.113274	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/722006-54926-2013.gz	-	62140	226	Transfer complete	-	-	-	-	-
+1464386191.840531	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,100).	T	10.3.22.91	205.167.25.101	62564	-
+1464386192.018216	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/722006-54926-2014.gz	-	59726	226	Transfer complete	-	-	-	-	-
+1464386192.740731	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,3).	T	10.3.22.91	205.167.25.101	63747	-
+1464386192.917379	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/722006-54926-2015.gz	-	61081	226	Transfer complete	-	-	-	-	-
+1464386193.642218	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,106).	T	10.3.22.91	205.167.25.101	64362	-
+1464386193.819992	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/722006-54926-2016.gz	-	25593	226	Transfer complete	-	-	-	-	-
+1464386194.363996	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,154).	T	10.3.22.91	205.167.25.101	60570	-
+1464386194.540830	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2005/722006-99999-2005.gz	-	56030	226	Transfer complete	-	-	-	-	-
+1464386195.269642	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,93).	T	10.3.22.91	205.167.25.101	61533	-
+1464386195.446677	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722007-54828-2008.gz	-	6573	226	Transfer complete	-	-	-	-	-
+1464386195.903180	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,209).	T	10.3.22.91	205.167.25.101	62929	-
+1464386196.080082	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2009/722007-54828-2009.gz	-	61549	226	Transfer complete	-	-	-	-	-
+1464386196.806138	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,196).	T	10.3.22.91	205.167.25.101	60100	-
+1464386196.985146	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2010/722007-54828-2010.gz	-	59846	226	Transfer complete	-	-	-	-	-
+1464386197.717496	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,187).	T	10.3.22.91	205.167.25.101	62651	-
+1464386197.894289	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2011/722007-54828-2011.gz	-	61272	226	Transfer complete	-	-	-	-	-
+1464386198.628556	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,167).	T	10.3.22.91	205.167.25.101	61095	-
+1464386198.807036	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/722007-54828-2012.gz	-	73262	226	Transfer complete	-	-	-	-	-
+1464386199.550314	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,31).	T	10.3.22.91	205.167.25.101	61983	-
+1464386199.727438	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/722007-54828-2013.gz	-	75472	226	Transfer complete	-	-	-	-	-
+1464386200.450218	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,191).	T	10.3.22.91	205.167.25.101	60863	-
+1464386200.628785	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/722007-54828-2014.gz	-	71885	226	Transfer complete	-	-	-	-	-
+1464386201.356500	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,131).	T	10.3.22.91	205.167.25.101	64131	-
+1464386201.533320	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/722007-54828-2015.gz	-	75549	226	Transfer complete	-	-	-	-	-
+1464386202.258187	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,175).	T	10.3.22.91	205.167.25.101	60335	-
+1464386202.435539	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/722007-54828-2016.gz	-	29802	226	Transfer complete	-	-	-	-	-
+1464386202.984349	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,173).	T	10.3.22.91	205.167.25.101	65197	-
+1464386203.161542	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2006/722008-12995-2006.gz	-	150	226	Transfer complete	-	-	-	-	-
+1464386203.618030	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,0).	T	10.3.22.91	205.167.25.101	64512	-
+1464386203.795219	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2007/722008-12995-2007.gz	-	67	226	Transfer complete	-	-	-	-	-
+1464386204.245213	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,215).	T	10.3.22.91	205.167.25.101	60887	-
+1464386204.422387	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722008-12995-2008.gz	-	189	226	Transfer complete	-	-	-	-	-
+1464386204.882502	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,136).	T	10.3.22.91	205.167.25.101	62088	-
+1464386205.079388	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2009/722008-12995-2009.gz	-	4070	226	Transfer complete	-	-	-	-	-
+1464386205.590648	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,152).	T	10.3.22.91	205.167.25.101	61080	-
+1464386205.767453	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2010/722008-12995-2010.gz	-	21437	226	Transfer complete	-	-	-	-	-
+1464386206.316562	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,26).	T	10.3.22.91	205.167.25.101	61466	-
+1464386206.493603	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2011/722008-12995-2011.gz	-	53991	226	Transfer complete	-	-	-	-	-
+1464386207.132349	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,77).	T	10.3.22.91	205.167.25.101	63821	-
+1464386207.309086	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/722008-12995-2012.gz	-	53165	226	Transfer complete	-	-	-	-	-
+1464386208.030767	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,195).	T	10.3.22.91	205.167.25.101	64451	-
+1464386208.207822	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/722008-12995-2013.gz	-	71926	226	Transfer complete	-	-	-	-	-
+1464386208.929477	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,80).	T	10.3.22.91	205.167.25.101	63056	-
+1464386209.106756	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/722008-12995-2014.gz	-	74267	226	Transfer complete	-	-	-	-	-
+1464386209.837395	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,13).	T	10.3.22.91	205.167.25.101	60173	-
+1464386210.014192	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/722008-12995-2015.gz	-	72294	226	Transfer complete	-	-	-	-	-
+1464386210.917444	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,169).	T	10.3.22.91	205.167.25.101	60585	-
+1464386211.094780	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/722008-12995-2016.gz	-	30489	226	Transfer complete	-	-	-	-	-
+1464386211.994325	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,160).	T	10.3.22.91	205.167.25.101	61600	-
+1464386212.171200	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2005/722008-99999-2005.gz	-	78	226	Transfer complete	-	-	-	-	-
+1464386212.624938	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,238).	T	10.3.22.91	205.167.25.101	61422	-
+1464386212.803896	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1973/722010-12836-1973.gz	-	78235	226	Transfer complete	-	-	-	-	-
+1464386213.626287	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,65).	T	10.3.22.91	205.167.25.101	60993	-
+1464386213.803363	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1974/722010-12836-1974.gz	-	74187	226	Transfer complete	-	-	-	-	-
+1464386214.562174	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,103).	T	10.3.22.91	205.167.25.101	63079	-
+1464386214.761882	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1975/722010-12836-1975.gz	-	75210	226	Transfer complete	-	-	-	-	-
+1464386215.651181	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,75).	T	10.3.22.91	205.167.25.101	62539	-
+1464386215.828093	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1976/722010-12836-1976.gz	-	76112	226	Transfer complete	-	-	-	-	-
+1464386216.571787	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,62).	T	10.3.22.91	205.167.25.101	63038	-
+1464386216.748687	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1977/722010-12836-1977.gz	-	75896	226	Transfer complete	-	-	-	-	-
+1464386217.474466	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,205).	T	10.3.22.91	205.167.25.101	60109	-
+1464386217.651724	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1978/722010-12836-1978.gz	-	75760	226	Transfer complete	-	-	-	-	-
+1464386218.460077	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,80).	T	10.3.22.91	205.167.25.101	60752	-
+1464386218.637229	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1979/722010-12836-1979.gz	-	76397	226	Transfer complete	-	-	-	-	-
+1464386219.455843	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,169).	T	10.3.22.91	205.167.25.101	61865	-
+1464386219.633166	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1980/722010-12836-1980.gz	-	74519	226	Transfer complete	-	-	-	-	-
+1464386220.374667	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,7).	T	10.3.22.91	205.167.25.101	60679	-
+1464386220.552624	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1981/722010-12836-1981.gz	-	76503	226	Transfer complete	-	-	-	-	-
+1464386221.295238	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,77).	T	10.3.22.91	205.167.25.101	62285	-
+1464386221.472457	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1982/722010-12836-1982.gz	-	76634	226	Transfer complete	-	-	-	-	-
+1464386222.212476	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,26).	T	10.3.22.91	205.167.25.101	64794	-
+1464386222.389405	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1983/722010-12836-1983.gz	-	79251	226	Transfer complete	-	-	-	-	-
+1464386223.136964	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,108).	T	10.3.22.91	205.167.25.101	60780	-
+1464386223.313656	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1984/722010-12836-1984.gz	-	78175	226	Transfer complete	-	-	-	-	-
+1464386224.064777	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,169).	T	10.3.22.91	205.167.25.101	64937	-
+1464386224.262127	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1985/722010-12836-1985.gz	-	78613	226	Transfer complete	-	-	-	-	-
+1464386225.063203	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,195).	T	10.3.22.91	205.167.25.101	60355	-
+1464386225.262095	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1986/722010-12836-1986.gz	-	78893	226	Transfer complete	-	-	-	-	-
+1464386226.119852	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,44).	T	10.3.22.91	205.167.25.101	62764	-
+1464386226.296778	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1987/722010-12836-1987.gz	-	79933	226	Transfer complete	-	-	-	-	-
+1464386227.120455	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,106).	T	10.3.22.91	205.167.25.101	60266	-
+1464386227.297628	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1988/722010-12836-1988.gz	-	79755	226	Transfer complete	-	-	-	-	-
+1464386228.124636	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,230).	T	10.3.22.91	205.167.25.101	64486	-
+1464386228.301608	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1989/722010-12836-1989.gz	-	80039	226	Transfer complete	-	-	-	-	-
+1464386229.105602	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,124).	T	10.3.22.91	205.167.25.101	63100	-
+1464386229.282414	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1990/722010-12836-1990.gz	-	81891	226	Transfer complete	-	-	-	-	-
+1464386230.022383	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,184).	T	10.3.22.91	205.167.25.101	65464	-
+1464386230.199505	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1991/722010-12836-1991.gz	-	81374	226	Transfer complete	-	-	-	-	-
+1464386231.022903	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,232).	T	10.3.22.91	205.167.25.101	63464	-
+1464386231.200210	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1992/722010-12836-1992.gz	-	82679	226	Transfer complete	-	-	-	-	-
+1464386232.031988	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,244).	T	10.3.22.91	205.167.25.101	63988	-
+1464386232.209447	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1993/722010-12836-1993.gz	-	83195	226	Transfer complete	-	-	-	-	-
+1464386233.024290	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,243).	T	10.3.22.91	205.167.25.101	61171	-
+1464386233.200965	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1994/722010-12836-1994.gz	-	82818	226	Transfer complete	-	-	-	-	-
+1464386234.011296	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,113).	T	10.3.22.91	205.167.25.101	60017	-
+1464386234.188037	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1995/722010-12836-1995.gz	-	82293	226	Transfer complete	-	-	-	-	-
+1464386235.023767	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,45).	T	10.3.22.91	205.167.25.101	65069	-
+1464386235.200824	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1996/722010-12836-1996.gz	-	80109	226	Transfer complete	-	-	-	-	-
+1464386236.029415	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,173).	T	10.3.22.91	205.167.25.101	62637	-
+1464386236.208430	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1997/722010-12836-1997.gz	-	79861	226	Transfer complete	-	-	-	-	-
+1464386236.938801	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,94).	T	10.3.22.91	205.167.25.101	63838	-
+1464386237.115766	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1998/722010-12836-1998.gz	-	82143	226	Transfer complete	-	-	-	-	-
+1464386237.932823	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,242).	T	10.3.22.91	205.167.25.101	63986	-
+1464386238.110144	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1999/722010-12836-1999.gz	-	81683	226	Transfer complete	-	-	-	-	-
+1464386238.848033	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,255).	T	10.3.22.91	205.167.25.101	60159	-
+1464386239.025127	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2000/722010-12836-2000.gz	-	80522	226	Transfer complete	-	-	-	-	-
+1464386239.853993	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,12).	T	10.3.22.91	205.167.25.101	64012	-
+1464386240.030933	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2001/722010-12836-2001.gz	-	80589	226	Transfer complete	-	-	-	-	-
+1464386240.776954	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,59).	T	10.3.22.91	205.167.25.101	64571	-
+1464386240.954461	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2002/722010-12836-2002.gz	-	80681	226	Transfer complete	-	-	-	-	-
+1464386241.773620	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,64).	T	10.3.22.91	205.167.25.101	61760	-
+1464386241.950500	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2003/722010-12836-2003.gz	-	81987	226	Transfer complete	-	-	-	-	-
+1464386242.772402	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,155).	T	10.3.22.91	205.167.25.101	65435	-
+1464386242.949485	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2004/722010-12836-2004.gz	-	82902	226	Transfer complete	-	-	-	-	-
+1464386243.772245	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,126).	T	10.3.22.91	205.167.25.101	60030	-
+1464386243.949447	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2005/722010-12836-2005.gz	-	81303	226	Transfer complete	-	-	-	-	-
+1464386244.783191	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,71).	T	10.3.22.91	205.167.25.101	64839	-
+1464386244.960701	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2006/722010-12836-2006.gz	-	81888	226	Transfer complete	-	-	-	-	-
+1464386245.779029	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,231).	T	10.3.22.91	205.167.25.101	62439	-
+1464386245.956110	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2007/722010-12836-2007.gz	-	81218	226	Transfer complete	-	-	-	-	-
+1464386246.781475	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,92).	T	10.3.22.91	205.167.25.101	63068	-
+1464386246.958233	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722010-12836-2008.gz	-	80863	226	Transfer complete	-	-	-	-	-
+1464386247.770374	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,181).	T	10.3.22.91	205.167.25.101	64949	-
+1464386247.946908	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2009/722010-12836-2009.gz	-	80522	226	Transfer complete	-	-	-	-	-
+1464386248.763024	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,216).	T	10.3.22.91	205.167.25.101	63192	-
+1464386248.939691	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2010/722010-12836-2010.gz	-	81653	226	Transfer complete	-	-	-	-	-
+1464386249.674525	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,165).	T	10.3.22.91	205.167.25.101	64933	-
+1464386249.853279	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2011/722010-12836-2011.gz	-	79033	226	Transfer complete	-	-	-	-	-
+1464386250.580294	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,198).	T	10.3.22.91	205.167.25.101	65478	-
+1464386250.757093	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/722010-12836-2012.gz	-	80403	226	Transfer complete	-	-	-	-	-
+1464386251.568328	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,193).	T	10.3.22.91	205.167.25.101	64193	-
+1464386251.745646	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/722010-12836-2013.gz	-	79740	226	Transfer complete	-	-	-	-	-
+1464386252.475395	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,202).	T	10.3.22.91	205.167.25.101	60874	-
+1464386252.652010	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/722010-12836-2014.gz	-	80166	226	Transfer complete	-	-	-	-	-
+1464386253.374147	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,112).	T	10.3.22.91	205.167.25.101	64880	-
+1464386253.550461	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/722010-12836-2015.gz	-	79123	226	Transfer complete	-	-	-	-	-
+1464386254.276198	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,36).	T	10.3.22.91	205.167.25.101	64548	-
+1464386254.452944	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/722010-12836-2016.gz	-	33778	226	Transfer complete	-	-	-	-	-
+1464386255.091985	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,151).	T	10.3.22.91	205.167.25.101	63639	-
+1464386255.268712	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2006/722011-92813-2006.gz	-	18072	226	Transfer complete	-	-	-	-	-
+1464386255.838295	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,123).	T	10.3.22.91	205.167.25.101	65147	-
+1464386256.015372	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2007/722011-92813-2007.gz	-	16318	226	Transfer complete	-	-	-	-	-
+1464386256.570839	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,12).	T	10.3.22.91	205.167.25.101	63500	-
+1464386256.747404	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722011-92813-2008.gz	-	39479	226	Transfer complete	-	-	-	-	-
+1464386257.382441	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,21).	T	10.3.22.91	205.167.25.101	61205	-
+1464386257.559233	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2009/722011-92813-2009.gz	-	39176	226	Transfer complete	-	-	-	-	-
+1464386258.205913	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,52).	T	10.3.22.91	205.167.25.101	65076	-
+1464386258.383067	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2010/722011-92813-2010.gz	-	38719	226	Transfer complete	-	-	-	-	-
+1464386259.021345	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,245).	T	10.3.22.91	205.167.25.101	61429	-
+1464386259.199308	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2011/722011-92813-2011.gz	-	39501	226	Transfer complete	-	-	-	-	-
+1464386259.852555	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,170).	T	10.3.22.91	205.167.25.101	65194	-
+1464386260.031713	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/722011-92813-2012.gz	-	39069	226	Transfer complete	-	-	-	-	-
+1464386260.671684	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,41).	T	10.3.22.91	205.167.25.101	60713	-
+1464386260.849182	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/722011-92813-2013.gz	-	34338	226	Transfer complete	-	-	-	-	-
+1464386261.395780	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,6).	T	10.3.22.91	205.167.25.101	61446	-
+1464386261.572781	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/722011-92813-2014.gz	-	35780	226	Transfer complete	-	-	-	-	-
+1464386262.215469	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,216).	T	10.3.22.91	205.167.25.101	64728	-
+1464386262.393154	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/722011-92813-2015.gz	-	35648	226	Transfer complete	-	-	-	-	-
+1464386262.945531	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,118).	T	10.3.22.91	205.167.25.101	63350	-
+1464386263.122071	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/722011-92813-2016.gz	-	15116	226	Transfer complete	-	-	-	-	-
+1464386263.671664	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,5).	T	10.3.22.91	205.167.25.101	65285	-
+1464386263.848664	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2002/722011-99999-2002.gz	-	21897	226	Transfer complete	-	-	-	-	-
+1464386264.394963	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,203).	T	10.3.22.91	205.167.25.101	63179	-
+1464386264.571612	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2003/722011-99999-2003.gz	-	22820	226	Transfer complete	-	-	-	-	-
+1464386265.137685	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,22).	T	10.3.22.91	205.167.25.101	63510	-
+1464386265.314614	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2004/722011-99999-2004.gz	-	12380	226	Transfer complete	-	-	-	-	-
+1464386265.776374	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,19).	T	10.3.22.91	205.167.25.101	63763	-
+1464386265.953395	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2005/722011-99999-2005.gz	-	10496	226	Transfer complete	-	-	-	-	-
+1464386266.425346	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,7).	T	10.3.22.91	205.167.25.101	62215	-
+1464386266.602687	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2005/722012-92817-2005.gz	-	7552	226	Transfer complete	-	-	-	-	-
+1464386267.066734	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,246).	T	10.3.22.91	205.167.25.101	65270	-
+1464386267.243914	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2006/722012-92817-2006.gz	-	157	226	Transfer complete	-	-	-	-	-
+1464386267.694669	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,175).	T	10.3.22.91	205.167.25.101	63663	-
+1464386267.871864	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2007/722012-92817-2007.gz	-	297	226	Transfer complete	-	-	-	-	-
+1464386268.321660	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,37).	T	10.3.22.91	205.167.25.101	62245	-
+1464386268.498993	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722012-92817-2008.gz	-	229	226	Transfer complete	-	-	-	-	-
+1464386268.950607	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,63).	T	10.3.22.91	205.167.25.101	64575	-
+1464386269.127430	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2009/722012-92817-2009.gz	-	8407	226	Transfer complete	-	-	-	-	-
+1464386269.591595	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,151).	T	10.3.22.91	205.167.25.101	60567	-
+1464386269.768733	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2010/722012-92817-2010.gz	-	35409	226	Transfer complete	-	-	-	-	-
+1464386270.407273	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,34).	T	10.3.22.91	205.167.25.101	65314	-
+1464386270.585204	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2011/722012-92817-2011.gz	-	52080	226	Transfer complete	-	-	-	-	-
+1464386271.317747	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,245).	T	10.3.22.91	205.167.25.101	63989	-
+1464386271.494548	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/722012-92817-2012.gz	-	51900	226	Transfer complete	-	-	-	-	-
+1464386272.133056	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,15).	T	10.3.22.91	205.167.25.101	63759	-
+1464386272.310032	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/722012-92817-2013.gz	-	48800	226	Transfer complete	-	-	-	-	-
+1464386272.953003	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,200).	T	10.3.22.91	205.167.25.101	64712	-
+1464386273.129879	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/722012-92817-2014.gz	-	40584	226	Transfer complete	-	-	-	-	-
+1464386273.770081	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,83).	T	10.3.22.91	205.167.25.101	64083	-
+1464386273.946701	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/722012-92817-2015.gz	-	51954	226	Transfer complete	-	-	-	-	-
+1464386274.678531	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,214).	T	10.3.22.91	205.167.25.101	63702	-
+1464386274.855469	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/722012-92817-2016.gz	-	22112	226	Transfer complete	-	-	-	-	-
+1464386275.404812	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,139).	T	10.3.22.91	205.167.25.101	63371	-
+1464386275.581840	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2002/722012-99999-2002.gz	-	121	226	Transfer complete	-	-	-	-	-
+1464386276.030995	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,190).	T	10.3.22.91	205.167.25.101	64958	-
+1464386276.209529	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2003/722012-99999-2003.gz	-	202	226	Transfer complete	-	-	-	-	-
+1464386276.659644	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,72).	T	10.3.22.91	205.167.25.101	63048	-
+1464386276.837019	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2004/722012-99999-2004.gz	-	412	226	Transfer complete	-	-	-	-	-
+1464386277.301401	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,176).	T	10.3.22.91	205.167.25.101	62384	-
+1464386277.478624	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1988/722013-99999-1988.gz	-	991	226	Transfer complete	-	-	-	-	-
+1464386277.953273	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,87).	T	10.3.22.91	205.167.25.101	63063	-
+1464386278.132008	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2006/722014-12818-2006.gz	-	83697	226	Transfer complete	-	-	-	-	-
+1464386278.857544	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,197).	T	10.3.22.91	205.167.25.101	62661	-
+1464386279.035340	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2007/722014-12818-2007.gz	-	83324	226	Transfer complete	-	-	-	-	-
+1464386279.848353	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,189).	T	10.3.22.91	205.167.25.101	60349	-
+1464386280.025614	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722014-12818-2008.gz	-	83826	226	Transfer complete	-	-	-	-	-
+1464386280.839098	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,12).	T	10.3.22.91	205.167.25.101	64268	-
+1464386281.016142	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2009/722014-12818-2009.gz	-	82419	226	Transfer complete	-	-	-	-	-
+1464386281.830587	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,250).	T	10.3.22.91	205.167.25.101	62202	-
+1464386282.007281	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2010/722014-12818-2010.gz	-	83446	226	Transfer complete	-	-	-	-	-
+1464386282.827723	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,83).	T	10.3.22.91	205.167.25.101	61779	-
+1464386283.004639	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2011/722014-12818-2011.gz	-	82497	226	Transfer complete	-	-	-	-	-
+1464386283.816350	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,183).	T	10.3.22.91	205.167.25.101	63927	-
+1464386283.993327	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/722014-12818-2012.gz	-	83026	226	Transfer complete	-	-	-	-	-
+1464386284.808816	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,195).	T	10.3.22.91	205.167.25.101	62915	-
+1464386284.987055	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/722014-12818-2013.gz	-	82897	226	Transfer complete	-	-	-	-	-
+1464386285.814162	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,250).	T	10.3.22.91	205.167.25.101	63226	-
+1464386285.991088	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/722014-12818-2014.gz	-	82769	226	Transfer complete	-	-	-	-	-
+1464386286.728464	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,144).	T	10.3.22.91	205.167.25.101	63120	-
+1464386286.905042	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/722014-12818-2015.gz	-	82907	226	Transfer complete	-	-	-	-	-
+1464386287.638934	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,59).	T	10.3.22.91	205.167.25.101	60731	-
+1464386287.816096	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/722014-12818-2016.gz	-	34834	226	Transfer complete	-	-	-	-	-
+1464386288.458512	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,0).	T	10.3.22.91	205.167.25.101	62976	-
+1464386288.635655	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1999/722014-99999-1999.gz	-	58141	226	Transfer complete	-	-	-	-	-
+1464386289.385337	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,93).	T	10.3.22.91	205.167.25.101	60765	-
+1464386289.562691	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2000/722014-99999-2000.gz	-	68258	226	Transfer complete	-	-	-	-	-
+1464386290.291971	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,241).	T	10.3.22.91	205.167.25.101	64241	-
+1464386290.468805	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2001/722014-99999-2001.gz	-	67455	226	Transfer complete	-	-	-	-	-
+1464386291.209272	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,20).	T	10.3.22.91	205.167.25.101	61204	-
+1464386291.386258	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2002/722014-99999-2002.gz	-	72214	226	Transfer complete	-	-	-	-	-
+1464386292.116561	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,5).	T	10.3.22.91	205.167.25.101	62981	-
+1464386292.293621	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2003/722014-99999-2003.gz	-	75374	226	Transfer complete	-	-	-	-	-
+1464386293.025988	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,233).	T	10.3.22.91	205.167.25.101	63977	-
+1464386293.202929	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2004/722014-99999-2004.gz	-	65856	226	Transfer complete	-	-	-	-	-
+1464386293.926709	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,99).	T	10.3.22.91	205.167.25.101	64867	-
+1464386294.104124	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2005/722014-99999-2005.gz	-	76124	226	Transfer complete	-	-	-	-	-
+1464386294.855229	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,203).	T	10.3.22.91	205.167.25.101	65227	-
+1464386295.031789	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1973/722015-12850-1973.gz	-	81845	226	Transfer complete	-	-	-	-	-
+1464386295.871533	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,41).	T	10.3.22.91	205.167.25.101	63017	-
+1464386296.051442	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1974/722015-12850-1974.gz	-	79475	226	Transfer complete	-	-	-	-	-
+1464386296.798579	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,155).	T	10.3.22.91	205.167.25.101	65435	-
+1464386296.980217	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1975/722015-12850-1975.gz	-	78851	226	Transfer complete	-	-	-	-	-
+1464386297.931008	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,238).	T	10.3.22.91	205.167.25.101	65006	-
+1464386298.108059	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1976/722015-12850-1976.gz	-	79644	226	Transfer complete	-	-	-	-	-
+1464386298.929960	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,32).	T	10.3.22.91	205.167.25.101	61472	-
+1464386299.106986	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1977/722015-12850-1977.gz	-	78561	226	Transfer complete	-	-	-	-	-
+1464386299.846062	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,172).	T	10.3.22.91	205.167.25.101	63660	-
+1464386300.022859	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1978/722015-12850-1978.gz	-	79393	226	Transfer complete	-	-	-	-	-
+1464386300.747748	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,184).	T	10.3.22.91	205.167.25.101	64184	-
+1464386300.925411	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1979/722015-12850-1979.gz	-	80301	226	Transfer complete	-	-	-	-	-
+1464386301.739501	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,116).	T	10.3.22.91	205.167.25.101	60020	-
+1464386301.916485	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1980/722015-12850-1980.gz	-	79933	226	Transfer complete	-	-	-	-	-
+1464386302.742223	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,132).	T	10.3.22.91	205.167.25.101	61828	-
+1464386302.919347	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1981/722015-12850-1981.gz	-	79692	226	Transfer complete	-	-	-	-	-
+1464386303.748472	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,68).	T	10.3.22.91	205.167.25.101	62020	-
+1464386303.925871	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1982/722015-12850-1982.gz	-	78365	226	Transfer complete	-	-	-	-	-
+1464386305.099203	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,210).	T	10.3.22.91	205.167.25.101	64978	-
+1464386305.277028	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1983/722015-12850-1983.gz	-	80250	226	Transfer complete	-	-	-	-	-
+1464386306.020990	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,109).	T	10.3.22.91	205.167.25.101	64877	-
+1464386306.199761	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1984/722015-12850-1984.gz	-	79545	226	Transfer complete	-	-	-	-	-
+1464386307.044450	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,149).	T	10.3.22.91	205.167.25.101	64405	-
+1464386307.225445	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1985/722015-12850-1985.gz	-	78787	226	Transfer complete	-	-	-	-	-
+1464386308.064104	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,42).	T	10.3.22.91	205.167.25.101	62506	-
+1464386308.242108	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1986/722015-12850-1986.gz	-	78221	226	Transfer complete	-	-	-	-	-
+1464386309.082216	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,51).	T	10.3.22.91	205.167.25.101	62003	-
+1464386309.259291	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1987/722015-12850-1987.gz	-	79672	226	Transfer complete	-	-	-	-	-
+1464386310.100125	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,242).	T	10.3.22.91	205.167.25.101	64754	-
+1464386310.277160	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1988/722015-12850-1988.gz	-	80148	226	Transfer complete	-	-	-	-	-
+1464386311.024682	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,56).	T	10.3.22.91	205.167.25.101	61240	-
+1464386311.201900	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1989/722015-12850-1989.gz	-	78673	226	Transfer complete	-	-	-	-	-
+1464386312.025948	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,205).	T	10.3.22.91	205.167.25.101	64205	-
+1464386312.203357	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1990/722015-12850-1990.gz	-	78540	226	Transfer complete	-	-	-	-	-
+1464386312.942351	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,70).	T	10.3.22.91	205.167.25.101	60998	-
+1464386313.118723	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1991/722015-12850-1991.gz	-	78061	226	Transfer complete	-	-	-	-	-
+1464386313.953697	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,144).	T	10.3.22.91	205.167.25.101	65168	-
+1464386314.130595	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1992/722015-12850-1992.gz	-	79362	226	Transfer complete	-	-	-	-	-
+1464386314.881166	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,146).	T	10.3.22.91	205.167.25.101	61586	-
+1464386315.058199	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1993/722015-12850-1993.gz	-	79103	226	Transfer complete	-	-	-	-	-
+1464386315.889215	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,225).	T	10.3.22.91	205.167.25.101	64225	-
+1464386316.065832	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1994/722015-12850-1994.gz	-	78344	226	Transfer complete	-	-	-	-	-
+1464386316.798941	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,34).	T	10.3.22.91	205.167.25.101	62754	-
+1464386316.976258	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1995/722015-12850-1995.gz	-	79455	226	Transfer complete	-	-	-	-	-
+1464386317.786458	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,109).	T	10.3.22.91	205.167.25.101	62317	-
+1464386317.963479	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1996/722015-12850-1996.gz	-	77113	226	Transfer complete	-	-	-	-	-
+1464386318.702795	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,226).	T	10.3.22.91	205.167.25.101	61666	-
+1464386318.879461	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1997/722015-12850-1997.gz	-	73061	226	Transfer complete	-	-	-	-	-
+1464386319.610408	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,31).	T	10.3.22.91	205.167.25.101	63519	-
+1464386319.787411	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1998/722015-12850-1998.gz	-	77156	226	Transfer complete	-	-	-	-	-
+1464386320.521547	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,96).	T	10.3.22.91	205.167.25.101	61024	-
+1464386320.698582	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1999/722015-12850-1999.gz	-	73057	226	Transfer complete	-	-	-	-	-
+1464386321.447200	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,151).	T	10.3.22.91	205.167.25.101	62871	-
+1464386321.624279	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2000/722015-12850-2000.gz	-	68406	226	Transfer complete	-	-	-	-	-
+1464386322.352659	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,37).	T	10.3.22.91	205.167.25.101	60965	-
+1464386322.529944	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2001/722015-12850-2001.gz	-	69743	226	Transfer complete	-	-	-	-	-
+1464386323.271219	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,233).	T	10.3.22.91	205.167.25.101	65001	-
+1464386323.448239	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2002/722015-12850-2002.gz	-	73216	226	Transfer complete	-	-	-	-	-
+1464386324.192102	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,252).	T	10.3.22.91	205.167.25.101	62204	-
+1464386324.369214	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2003/722015-12850-2003.gz	-	66103	226	Transfer complete	-	-	-	-	-
+1464386325.092509	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,241).	T	10.3.22.91	205.167.25.101	60657	-
+1464386325.269431	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2004/722015-12850-2004.gz	-	52041	226	Transfer complete	-	-	-	-	-
+1464386325.908021	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,20).	T	10.3.22.91	205.167.25.101	62484	-
+1464386326.088034	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2005/722015-12850-2005.gz	-	51853	226	Transfer complete	-	-	-	-	-
+1464386326.746490	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,153).	T	10.3.22.91	205.167.25.101	62105	-
+1464386326.925315	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2006/722015-12850-2006.gz	-	57158	226	Transfer complete	-	-	-	-	-
+1464386327.577388	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,225).	T	10.3.22.91	205.167.25.101	60129	-
+1464386327.754684	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2007/722015-12850-2007.gz	-	79623	226	Transfer complete	-	-	-	-	-
+1464386328.481115	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,212).	T	10.3.22.91	205.167.25.101	63956	-
+1464386328.658078	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722015-12850-2008.gz	-	78113	226	Transfer complete	-	-	-	-	-
+1464386329.390431	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,71).	T	10.3.22.91	205.167.25.101	60231	-
+1464386329.567803	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2009/722015-12850-2009.gz	-	80410	226	Transfer complete	-	-	-	-	-
+1464386330.381263	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,57).	T	10.3.22.91	205.167.25.101	64313	-
+1464386330.559628	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2010/722015-12850-2010.gz	-	82226	226	Transfer complete	-	-	-	-	-
+1464386331.376811	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,232).	T	10.3.22.91	205.167.25.101	63976	-
+1464386331.553440	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2011/722015-12850-2011.gz	-	79845	226	Transfer complete	-	-	-	-	-
+1464386332.362461	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,108).	T	10.3.22.91	205.167.25.101	62060	-
+1464386332.539729	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/722015-12850-2012.gz	-	79497	226	Transfer complete	-	-	-	-	-
+1464386333.353985	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,126).	T	10.3.22.91	205.167.25.101	60798	-
+1464386333.532340	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/722015-12850-2013.gz	-	78796	226	Transfer complete	-	-	-	-	-
+1464386334.265178	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,188).	T	10.3.22.91	205.167.25.101	63420	-
+1464386334.452211	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/722015-12850-2014.gz	-	79436	226	Transfer complete	-	-	-	-	-
+1464386335.341996	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,218).	T	10.3.22.91	205.167.25.101	61402	-
+1464386335.541871	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/722015-12850-2015.gz	-	78247	226	Transfer complete	-	-	-	-	-
+1464386336.381672	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,179).	T	10.3.22.91	205.167.25.101	65203	-
+1464386336.558670	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/722015-12850-2016.gz	-	33645	226	Transfer complete	-	-	-	-	-
+1464386337.195427	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,232).	T	10.3.22.91	205.167.25.101	60392	-
+1464386337.372369	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2006/722016-12896-2006.gz	-	79989	226	Transfer complete	-	-	-	-	-
+1464386338.254754	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,174).	T	10.3.22.91	205.167.25.101	63406	-
+1464386338.431618	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2007/722016-12896-2007.gz	-	80006	226	Transfer complete	-	-	-	-	-
+1464386339.169088	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,167).	T	10.3.22.91	205.167.25.101	64423	-
+1464386339.345943	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722016-12896-2008.gz	-	80330	226	Transfer complete	-	-	-	-	-
+1464386340.095567	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,193).	T	10.3.22.91	205.167.25.101	61633	-
+1464386340.272494	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2009/722016-12896-2009.gz	-	79706	226	Transfer complete	-	-	-	-	-
+1464386341.000539	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,125).	T	10.3.22.91	205.167.25.101	62077	-
+1464386341.177425	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2010/722016-12896-2010.gz	-	81217	226	Transfer complete	-	-	-	-	-
+1464386341.990031	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,142).	T	10.3.22.91	205.167.25.101	65422	-
+1464386342.167032	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2011/722016-12896-2011.gz	-	79195	226	Transfer complete	-	-	-	-	-
+1464386342.890925	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,82).	T	10.3.22.91	205.167.25.101	61266	-
+1464386343.067769	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2012/722016-12896-2012.gz	-	80216	226	Transfer complete	-	-	-	-	-
+1464386343.877127	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,175).	T	10.3.22.91	205.167.25.101	63663	-
+1464386344.054228	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2013/722016-12896-2013.gz	-	78879	226	Transfer complete	-	-	-	-	-
+1464386344.777716	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,112).	T	10.3.22.91	205.167.25.101	64112	-
+1464386344.954812	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2014/722016-12896-2014.gz	-	78596	226	Transfer complete	-	-	-	-	-
+1464386345.687077	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,20).	T	10.3.22.91	205.167.25.101	64020	-
+1464386345.864281	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2015/722016-12896-2015.gz	-	78136	226	Transfer complete	-	-	-	-	-
+1464386346.599713	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,29).	T	10.3.22.91	205.167.25.101	60445	-
+1464386346.776504	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2016/722016-12896-2016.gz	-	33301	226	Transfer complete	-	-	-	-	-
+1464386347.334789	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,84).	T	10.3.22.91	205.167.25.101	60244	-
+1464386347.511827	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1988/722016-99999-1988.gz	-	6961	226	Transfer complete	-	-	-	-	-
+1464386347.975332	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,52).	T	10.3.22.91	205.167.25.101	62004	-
+1464386348.152509	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1989/722016-99999-1989.gz	-	2687	226	Transfer complete	-	-	-	-	-
+1464386348.628419	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,30).	T	10.3.22.91	205.167.25.101	61470	-
+1464386348.805814	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1990/722016-99999-1990.gz	-	2384	226	Transfer complete	-	-	-	-	-
+1464386349.269124	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,140).	T	10.3.22.91	205.167.25.101	63116	-
+1464386349.446438	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1991/722016-99999-1991.gz	-	4422	226	Transfer complete	-	-	-	-	-
+1464386349.915953	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,250).	T	10.3.22.91	205.167.25.101	62970	-
+1464386350.093277	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1992/722016-99999-1992.gz	-	4564	226	Transfer complete	-	-	-	-	-
+1464386350.554812	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,8).	T	10.3.22.91	205.167.25.101	60936	-
+1464386350.731653	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1993/722016-99999-1993.gz	-	5589	226	Transfer complete	-	-	-	-	-
+1464386351.203460	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,40).	T	10.3.22.91	205.167.25.101	65320	-
+1464386351.379844	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1994/722016-99999-1994.gz	-	5422	226	Transfer complete	-	-	-	-	-
+1464386351.841164	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,140).	T	10.3.22.91	205.167.25.101	63628	-
+1464386352.018154	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1995/722016-99999-1995.gz	-	27843	226	Transfer complete	-	-	-	-	-
+1464386352.572088	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,189).	T	10.3.22.91	205.167.25.101	63421	-
+1464386352.749222	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1996/722016-99999-1996.gz	-	20262	226	Transfer complete	-	-	-	-	-
+1464386353.312027	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,195).	T	10.3.22.91	205.167.25.101	61891	-
+1464386353.488851	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1997/722016-99999-1997.gz	-	17446	226	Transfer complete	-	-	-	-	-
+1464386354.067043	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,13).	T	10.3.22.91	205.167.25.101	63757	-
+1464386354.244372	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1998/722016-99999-1998.gz	-	51868	226	Transfer complete	-	-	-	-	-
+1464386354.890401	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,146).	T	10.3.22.91	205.167.25.101	61842	-
+1464386355.067181	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1999/722016-99999-1999.gz	-	70735	226	Transfer complete	-	-	-	-	-
+1464386355.816047	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,170).	T	10.3.22.91	205.167.25.101	62122	-
+1464386355.993150	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2000/722016-99999-2000.gz	-	66848	226	Transfer complete	-	-	-	-	-
+1464386356.738491	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,71).	T	10.3.22.91	205.167.25.101	62535	-
+1464386356.915508	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2001/722016-99999-2001.gz	-	68775	226	Transfer complete	-	-	-	-	-
+1464386357.645728	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,124).	T	10.3.22.91	205.167.25.101	60284	-
+1464386357.822391	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2002/722016-99999-2002.gz	-	70904	226	Transfer complete	-	-	-	-	-
+1464386358.557664	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,182).	T	10.3.22.91	205.167.25.101	64182	-
+1464386358.734525	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2003/722016-99999-2003.gz	-	71757	226	Transfer complete	-	-	-	-	-
+1464386359.474202	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,101).	T	10.3.22.91	205.167.25.101	63333	-
+1464386359.651137	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2004/722016-99999-2004.gz	-	74537	226	Transfer complete	-	-	-	-	-
+1464386360.383013	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,216).	T	10.3.22.91	205.167.25.101	63704	-
+1464386360.559976	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2005/722016-99999-2005.gz	-	71149	226	Transfer complete	-	-	-	-	-
+1464386361.299004	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,146).	T	10.3.22.91	205.167.25.101	60050	-
+1464386361.475959	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2006/722017-12876-2006.gz	-	79750	226	Transfer complete	-	-	-	-	-
+1464386362.311663	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,26).	T	10.3.22.91	205.167.25.101	63002	-
+1464386362.488624	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2007/722017-12876-2007.gz	-	80707	226	Transfer complete	-	-	-	-	-
+1464386363.217474	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,97).	T	10.3.22.91	205.167.25.101	64097	-
+1464386363.394346	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2008/722017-12876-2008.gz	-	80808	226	Transfer complete	-	-	-	-	-
+1464386364.210968	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,224).	T	10.3.22.91	205.167.25.101	63456	-
+1464386364.425385	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2009/722017-12876-2009.gz	-	79435	226	Transfer complete	-	-	-	-	-
+1464386365.241996	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,194).	T	10.3.22.91	205.167.25.101	61890	-
+1464386365.418616	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2010/722017-12876-2010.gz	-	46863	226	Transfer complete	-	-	-	-	-
+1464386366.051522	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,35).	T	10.3.22.91	205.167.25.101	60195	-
+1464386366.228515	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1999/722017-99999-1999.gz	-	54644	226	Transfer complete	-	-	-	-	-
+1464386366.963853	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,253).	T	10.3.22.91	205.167.25.101	65533	-
+1464386367.140837	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2000/722017-99999-2000.gz	-	75112	226	Transfer complete	-	-	-	-	-
+1464386367.890046	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,81).	T	10.3.22.91	205.167.25.101	61777	-
+1464386368.067065	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2001/722017-99999-2001.gz	-	18300	226	Transfer complete	-	-	-	-	-
+1464386368.629733	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,21).	T	10.3.22.91	205.167.25.101	61461	-
+1464386368.806627	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2000/722018-99999-2000.gz	-	74319	226	Transfer complete	-	-	-	-	-
+1464386369.543904	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,173).	T	10.3.22.91	205.167.25.101	63661	-
+1464386369.721168	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/2001/722018-99999-2001.gz	-	19016	226	Transfer complete	-	-	-	-	-
+1464386370.280993	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,195).	T	10.3.22.91	205.167.25.101	60355	-
+1464386370.457606	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1975/722019-99999-1975.gz	-	4339	226	Transfer complete	-	-	-	-	-
+1464386370.916877	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,202).	T	10.3.22.91	205.167.25.101	65482	-
+1464386371.093619	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1976/722019-99999-1976.gz	-	14751	226	Transfer complete	-	-	-	-	-
+1464386371.660711	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,107).	T	10.3.22.91	205.167.25.101	64107	-
+1464386371.837734	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1977/722019-99999-1977.gz	-	15373	226	Transfer complete	-	-	-	-	-
+1464386372.396995	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,183).	T	10.3.22.91	205.167.25.101	60599	-
+1464386372.573969	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1978/722019-99999-1978.gz	-	7239	226	Transfer complete	-	-	-	-	-
+1464386373.033790	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,0).	T	10.3.22.91	205.167.25.101	61952	-
+1464386373.210889	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1979/722019-99999-1979.gz	-	2279	226	Transfer complete	-	-	-	-	-
+1464386373.672396	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,138).	T	10.3.22.91	205.167.25.101	60042	-
+1464386373.849347	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1980/722019-99999-1980.gz	-	909	226	Transfer complete	-	-	-	-	-
+1464386374.317590	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,227).	T	10.3.22.91	205.167.25.101	63715	-
+1464386374.494723	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1981/722019-99999-1981.gz	-	2382	226	Transfer complete	-	-	-	-	-
+1464386374.973261	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,154).	T	10.3.22.91	205.167.25.101	64922	-
+1464386375.149942	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1982/722019-99999-1982.gz	-	917	226	Transfer complete	-	-	-	-	-
+1464386375.614138	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,51).	T	10.3.22.91	205.167.25.101	60979	-
+1464386375.791084	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1983/722019-99999-1983.gz	-	537	226	Transfer complete	-	-	-	-	-
+1464386376.263587	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,13).	T	10.3.22.91	205.167.25.101	63501	-
+1464386376.440689	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1984/722019-99999-1984.gz	-	88	226	Transfer complete	-	-	-	-	-
+1464386376.894812	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,40).	T	10.3.22.91	205.167.25.101	63016	-
+1464386377.071734	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1987/722019-99999-1987.gz	-	334	226	Transfer complete	-	-	-	-	-
+1464386377.535511	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,144).	T	10.3.22.91	205.167.25.101	64400	-
+1464386377.712782	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1991/722019-99999-1991.gz	-	157	226	Transfer complete	-	-	-	-	-
+1464386378.182810	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,112).	T	10.3.22.91	205.167.25.101	65392	-
+1464386378.360461	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1992/722019-99999-1992.gz	-	120	226	Transfer complete	-	-	-	-	-
+1464386378.819582	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,54).	T	10.3.22.91	205.167.25.101	61238	-
+1464386378.997235	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/1973/722020-12839-1973.gz	-	85217	226	Transfer complete	-	-	-	-	-
+1464386379.825998	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,35).	T	10.3.22.91	205.167.25.101	60707	-
+1464386380.002895	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/noaa/722020-12839-1974.gz	-	84048	226	Transfer complete	-	-	-	-	-
+1464386380.839939	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,28).	T	10.3.22.91	205.167.25.101	61980	-
+1464386381.017526	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1975/722020-12839-1975.gz	-	83600	226	Transfer complete	-	-	-	-	-
+1464386381.855024	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,29).	T	10.3.22.91	205.167.25.101	63773	-
+1464386382.037409	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1976/722020-12839-1976.gz	-	84807	226	Transfer complete	-	-	-	-	-
+1464386382.851521	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,63).	T	10.3.22.91	205.167.25.101	60991	-
+1464386383.028370	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1977/722020-12839-1977.gz	-	85368	226	Transfer complete	-	-	-	-	-
+1464386383.842620	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,212).	T	10.3.22.91	205.167.25.101	60628	-
+1464386384.020139	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1978/722020-12839-1978.gz	-	85539	226	Transfer complete	-	-	-	-	-
+1464386384.836045	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,132).	T	10.3.22.91	205.167.25.101	61572	-
+1464386385.012692	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1979/722020-12839-1979.gz	-	86740	226	Transfer complete	-	-	-	-	-
+1464386385.916810	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,184).	T	10.3.22.91	205.167.25.101	64696	-
+1464386386.093458	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1980/722020-12839-1980.gz	-	87794	226	Transfer complete	-	-	-	-	-
+1464386386.913588	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,6).	T	10.3.22.91	205.167.25.101	60678	-
+1464386387.090205	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1981/722020-12839-1981.gz	-	87738	226	Transfer complete	-	-	-	-	-
+1464386387.914873	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,62).	T	10.3.22.91	205.167.25.101	64574	-
+1464386388.091574	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1982/722020-12839-1982.gz	-	85972	226	Transfer complete	-	-	-	-	-
+1464386388.907414	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,27).	T	10.3.22.91	205.167.25.101	63259	-
+1464386389.084917	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1983/722020-12839-1983.gz	-	87186	226	Transfer complete	-	-	-	-	-
+1464386389.913826	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,135).	T	10.3.22.91	205.167.25.101	64135	-
+1464386390.091412	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1984/722020-12839-1984.gz	-	87840	226	Transfer complete	-	-	-	-	-
+1464386390.910729	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,2).	T	10.3.22.91	205.167.25.101	60930	-
+1464386391.090422	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1985/722020-12839-1985.gz	-	87591	226	Transfer complete	-	-	-	-	-
+1464386391.929892	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,222).	T	10.3.22.91	205.167.25.101	63454	-
+1464386392.106826	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1986/722020-12839-1986.gz	-	87263	226	Transfer complete	-	-	-	-	-
+1464386392.941944	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,134).	T	10.3.22.91	205.167.25.101	64134	-
+1464386393.118852	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1987/722020-12839-1987.gz	-	87614	226	Transfer complete	-	-	-	-	-
+1464386393.951794	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,244).	T	10.3.22.91	205.167.25.101	62708	-
+1464386394.128839	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1988/722020-12839-1988.gz	-	87847	226	Transfer complete	-	-	-	-	-
+1464386394.947711	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,148).	T	10.3.22.91	205.167.25.101	64916	-
+1464386395.124696	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1989/722020-12839-1989.gz	-	85920	226	Transfer complete	-	-	-	-	-
+1464386395.949705	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,52).	T	10.3.22.91	205.167.25.101	62260	-
+1464386396.126692	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1990/722020-12839-1990.gz	-	85460	226	Transfer complete	-	-	-	-	-
+1464386396.864799	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,87).	T	10.3.22.91	205.167.25.101	63063	-
+1464386397.041940	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1991/722020-12839-1991.gz	-	85515	226	Transfer complete	-	-	-	-	-
+1464386397.863636	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,96).	T	10.3.22.91	205.167.25.101	64864	-
+1464386398.042163	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1992/722020-12839-1992.gz	-	86295	226	Transfer complete	-	-	-	-	-
+1464386398.868553	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,161).	T	10.3.22.91	205.167.25.101	60833	-
+1464386399.046396	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1993/722020-12839-1993.gz	-	87222	226	Transfer complete	-	-	-	-	-
+1464386399.885281	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,175).	T	10.3.22.91	205.167.25.101	63663	-
+1464386400.061876	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1994/722020-12839-1994.gz	-	85808	226	Transfer complete	-	-	-	-	-
+1464386400.884823	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,97).	T	10.3.22.91	205.167.25.101	61281	-
+1464386401.061982	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1995/722020-12839-1995.gz	-	84802	226	Transfer complete	-	-	-	-	-
+1464386401.885625	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,204).	T	10.3.22.91	205.167.25.101	60876	-
+1464386402.063102	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1996/722020-12839-1996.gz	-	85081	226	Transfer complete	-	-	-	-	-
+1464386402.882468	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,148).	T	10.3.22.91	205.167.25.101	61844	-
+1464386403.060155	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1997/722020-12839-1997.gz	-	86579	226	Transfer complete	-	-	-	-	-
+1464386403.803390	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,253).	T	10.3.22.91	205.167.25.101	60669	-
+1464386403.980298	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1998/722020-12839-1998.gz	-	86012	226	Transfer complete	-	-	-	-	-
+1464386404.812288	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,159).	T	10.3.22.91	205.167.25.101	61855	-
+1464386404.989282	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1999/722020-12839-1999.gz	-	84308	226	Transfer complete	-	-	-	-	-
+1464386405.816063	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,255,65).	T	10.3.22.91	205.167.25.101	65345	-
+1464386405.993134	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2000/722020-12839-2000.gz	-	83645	226	Transfer complete	-	-	-	-	-
+1464386406.733746	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,197).	T	10.3.22.91	205.167.25.101	63685	-
+1464386406.910702	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2001/722020-12839-2001.gz	-	83543	226	Transfer complete	-	-	-	-	-
+1464386407.729330	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,49).	T	10.3.22.91	205.167.25.101	60721	-
+1464386407.906225	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2002/722020-12839-2002.gz	-	83745	226	Transfer complete	-	-	-	-	-
+1464386408.719195	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,179).	T	10.3.22.91	205.167.25.101	65203	-
+1464386408.896326	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2003/722020-12839-2003.gz	-	84760	226	Transfer complete	-	-	-	-	-
+1464386409.709054	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,155).	T	10.3.22.91	205.167.25.101	64923	-
+1464386409.886325	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2004/722020-12839-2004.gz	-	86694	226	Transfer complete	-	-	-	-	-
+1464386410.942717	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,244).	T	10.3.22.91	205.167.25.101	61428	-
+1464386411.119853	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2005/722020-12839-2005.gz	-	85448	226	Transfer complete	-	-	-	-	-
+1464386411.938550	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,209).	T	10.3.22.91	205.167.25.101	61649	-
+1464386412.115297	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2006/722020-12839-2006.gz	-	84688	226	Transfer complete	-	-	-	-	-
+1464386412.836824	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,186).	T	10.3.22.91	205.167.25.101	63162	-
+1464386413.014618	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2007/722020-12839-2007.gz	-	84421	226	Transfer complete	-	-	-	-	-
+1464386413.842142	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,212).	T	10.3.22.91	205.167.25.101	62420	-
+1464386414.018876	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2008/722020-12839-2008.gz	-	84735	226	Transfer complete	-	-	-	-	-
+1464386414.841220	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,69).	T	10.3.22.91	205.167.25.101	62277	-
+1464386415.018211	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2009/722020-12839-2009.gz	-	83642	226	Transfer complete	-	-	-	-	-
+1464386415.831164	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,222).	T	10.3.22.91	205.167.25.101	64734	-
+1464386416.008126	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2010/722020-12839-2010.gz	-	84853	226	Transfer complete	-	-	-	-	-
+1464386416.818766	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,142).	T	10.3.22.91	205.167.25.101	61582	-
+1464386416.995926	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2011/722020-12839-2011.gz	-	83430	226	Transfer complete	-	-	-	-	-
+1464386417.816184	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,236).	T	10.3.22.91	205.167.25.101	62956	-
+1464386417.993269	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2012/722020-12839-2012.gz	-	83869	226	Transfer complete	-	-	-	-	-
+1464386419.169716	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,30).	T	10.3.22.91	205.167.25.101	63774	-
+1464386419.346672	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2013/722020-12839-2013.gz	-	83489	226	Transfer complete	-	-	-	-	-
+1464386420.379709	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,73).	T	10.3.22.91	205.167.25.101	64841	-
+1464386420.557043	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2014/722020-12839-2014.gz	-	83990	226	Transfer complete	-	-	-	-	-
+1464386421.366370	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,117).	T	10.3.22.91	205.167.25.101	61557	-
+1464386421.543980	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2015/722020-12839-2015.gz	-	83269	226	Transfer complete	-	-	-	-	-
+1464386422.367256	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,193).	T	10.3.22.91	205.167.25.101	64705	-
+1464386422.544229	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2016/722020-12839-2016.gz	-	35339	226	Transfer complete	-	-	-	-	-
+1464386423.188630	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,41).	T	10.3.22.91	205.167.25.101	62761	-
+1464386423.365464	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2005/722021-92816-2005.gz	-	46614	226	Transfer complete	-	-	-	-	-
+1464386424.009488	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,234,252).	T	10.3.22.91	205.167.25.101	60156	-
+1464386424.186294	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2006/722021-92816-2006.gz	-	34215	226	Transfer complete	-	-	-	-	-
+1464386424.828565	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,182).	T	10.3.22.91	205.167.25.101	61878	-
+1464386425.005293	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2007/722021-92816-2007.gz	-	40847	226	Transfer complete	-	-	-	-	-
+1464386425.646744	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,191).	T	10.3.22.91	205.167.25.101	62143	-
+1464386425.823923	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2008/722021-92816-2008.gz	-	36970	226	Transfer complete	-	-	-	-	-
+1464386426.479666	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,209).	T	10.3.22.91	205.167.25.101	62417	-
+1464386426.656995	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2009/722021-92816-2009.gz	-	54651	226	Transfer complete	-	-	-	-	-
+1464386427.302647	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,174).	T	10.3.22.91	205.167.25.101	64942	-
+1464386427.479739	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2010/722021-92816-2010.gz	-	48742	226	Transfer complete	-	-	-	-	-
+1464386428.114402	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,32).	T	10.3.22.91	205.167.25.101	61472	-
+1464386428.291713	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2011/722021-92816-2011.gz	-	45676	226	Transfer complete	-	-	-	-	-
+1464386428.923708	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,18).	T	10.3.22.91	205.167.25.101	63250	-
+1464386429.100828	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2012/722021-92816-2012.gz	-	55871	226	Transfer complete	-	-	-	-	-
+1464386429.739141	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,95).	T	10.3.22.91	205.167.25.101	63071	-
+1464386429.916106	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2013/722021-92816-2013.gz	-	55119	226	Transfer complete	-	-	-	-	-
+1464386430.553756	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,34).	T	10.3.22.91	205.167.25.101	62754	-
+1464386430.730906	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2014/722021-92816-2014.gz	-	49545	226	Transfer complete	-	-	-	-	-
+1464386431.373835	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,126).	T	10.3.22.91	205.167.25.101	64126	-
+1464386431.551168	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2015/722021-92816-2015.gz	-	49725	226	Transfer complete	-	-	-	-	-
+1464386432.190677	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,147).	T	10.3.22.91	205.167.25.101	64915	-
+1464386432.368024	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2016/722021-92816-2016.gz	-	23181	226	Transfer complete	-	-	-	-	-
+1464386432.915739	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,191).	T	10.3.22.91	205.167.25.101	63423	-
+1464386433.093120	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2002/722021-99999-2002.gz	-	25173	226	Transfer complete	-	-	-	-	-
+1464386433.652349	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,31).	T	10.3.22.91	205.167.25.101	60447	-
+1464386433.828856	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2003/722021-99999-2003.gz	-	43064	226	Transfer complete	-	-	-	-	-
+1464386434.468934	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,252,213).	T	10.3.22.91	205.167.25.101	64725	-
+1464386434.646164	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2004/722021-99999-2004.gz	-	31582	226	Transfer complete	-	-	-	-	-
+1464386435.281916	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,134).	T	10.3.22.91	205.167.25.101	61574	-
+1464386435.458645	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2006/722022-12803-2006.gz	-	13008	226	Transfer complete	-	-	-	-	-
+1464386435.928855	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,240).	T	10.3.22.91	205.167.25.101	61168	-
+1464386436.106234	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2007/722022-12803-2007.gz	-	7908	226	Transfer complete	-	-	-	-	-
+1464386436.581325	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,138).	T	10.3.22.91	205.167.25.101	64394	-
+1464386436.758447	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2008/722022-12803-2008.gz	-	3523	226	Transfer complete	-	-	-	-	-
+1464386437.216947	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,35).	T	10.3.22.91	205.167.25.101	60963	-
+1464386437.394355	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2009/722022-12803-2009.gz	-	20837	226	Transfer complete	-	-	-	-	-
+1464386437.939761	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,133).	T	10.3.22.91	205.167.25.101	62597	-
+1464386438.116890	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2010/722022-12803-2010.gz	-	27695	226	Transfer complete	-	-	-	-	-
+1464386438.666500	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,92).	T	10.3.22.91	205.167.25.101	60508	-
+1464386438.843721	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2011/722022-12803-2011.gz	-	18864	226	Transfer complete	-	-	-	-	-
+1464386439.394258	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,250,125).	T	10.3.22.91	205.167.25.101	64125	-
+1464386439.571395	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2012/722022-12803-2012.gz	-	17785	226	Transfer complete	-	-	-	-	-
+1464386440.129415	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,250).	T	10.3.22.91	205.167.25.101	65018	-
+1464386440.306537	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2013/722022-12803-2013.gz	-	15540	226	Transfer complete	-	-	-	-	-
+1464386440.860251	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,245,66).	T	10.3.22.91	205.167.25.101	62786	-
+1464386441.037804	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2014/722022-12803-2014.gz	-	28963	226	Transfer complete	-	-	-	-	-
+1464386441.592443	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,93).	T	10.3.22.91	205.167.25.101	63325	-
+1464386441.770744	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2015/722022-12803-2015.gz	-	33823	226	Transfer complete	-	-	-	-	-
+1464386442.408045	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,138).	T	10.3.22.91	205.167.25.101	61066	-
+1464386442.585156	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2016/722022-12803-2016.gz	-	8499	226	Transfer complete	-	-	-	-	-
+1464386443.042806	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,47).	T	10.3.22.91	205.167.25.101	60207	-
+1464386443.219490	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2002/722022-99999-2002.gz	-	13441	226	Transfer complete	-	-	-	-	-
+1464386443.691378	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,240,125).	T	10.3.22.91	205.167.25.101	61565	-
+1464386443.869060	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2003/722022-99999-2003.gz	-	16559	226	Transfer complete	-	-	-	-	-
+1464386444.434900	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,235,212).	T	10.3.22.91	205.167.25.101	60372	-
+1464386444.612442	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2004/722022-99999-2004.gz	-	21601	226	Transfer complete	-	-	-	-	-
+1464386445.231501	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,69).	T	10.3.22.91	205.167.25.101	61765	-
+1464386445.409297	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2005/722022-99999-2005.gz	-	17715	226	Transfer complete	-	-	-	-	-
+1464386445.957895	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,237,63).	T	10.3.22.91	205.167.25.101	60735	-
+1464386446.134898	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2006/722024-12882-2006.gz	-	83887	226	Transfer complete	-	-	-	-	-
+1464386446.956720	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,158).	T	10.3.22.91	205.167.25.101	63134	-
+1464386447.133953	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2007/722024-12882-2007.gz	-	84581	226	Transfer complete	-	-	-	-	-
+1464386448.012947	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,225).	T	10.3.22.91	205.167.25.101	61921	-
+1464386448.189743	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2008/722024-12882-2008.gz	-	84898	226	Transfer complete	-	-	-	-	-
+1464386449.000324	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,150).	T	10.3.22.91	205.167.25.101	62614	-
+1464386449.176994	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2009/722024-12882-2009.gz	-	83149	226	Transfer complete	-	-	-	-	-
+1464386450.005746	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,253).	T	10.3.22.91	205.167.25.101	65277	-
+1464386450.183578	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2010/722024-12882-2010.gz	-	84584	226	Transfer complete	-	-	-	-	-
+1464386450.992789	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,82).	T	10.3.22.91	205.167.25.101	64338	-
+1464386451.170101	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2011/722024-12882-2011.gz	-	83395	226	Transfer complete	-	-	-	-	-
+1464386451.896443	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,70).	T	10.3.22.91	205.167.25.101	62022	-
+1464386452.073316	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2012/722024-12882-2012.gz	-	84281	226	Transfer complete	-	-	-	-	-
+1464386452.799225	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,239,31).	T	10.3.22.91	205.167.25.101	61215	-
+1464386452.976541	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2013/722024-12882-2013.gz	-	83020	226	Transfer complete	-	-	-	-	-
+1464386453.787553	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,242,102).	T	10.3.22.91	205.167.25.101	62054	-
+1464386453.964656	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2014/722024-12882-2014.gz	-	83297	226	Transfer complete	-	-	-	-	-
+1464386454.774662	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,254,69).	T	10.3.22.91	205.167.25.101	65093	-
+1464386454.952149	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2015/722024-12882-2015.gz	-	83246	226	Transfer complete	-	-	-	-	-
+1464386455.685534	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,249,225).	T	10.3.22.91	205.167.25.101	63969	-
+1464386455.862418	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/2016/722024-12882-2016.gz	-	34849	226	Transfer complete	-	-	-	-	-
+1464386456.495749	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,236,230).	T	10.3.22.91	205.167.25.101	60646	-
+1464386456.672463	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1962/722024-99999-1962.gz	-	724	226	Transfer complete	-	-	-	-	-
+1464386457.145814	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,217).	T	10.3.22.91	205.167.25.101	64473	-
+1464386457.323112	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1983/722024-99999-1983.gz	-	5298	226	Transfer complete	-	-	-	-	-
+1464386457.790820	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,241,162).	T	10.3.22.91	205.167.25.101	61858	-
+1464386457.967681	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1984/722024-99999-1984.gz	-	32545	226	Transfer complete	-	-	-	-	-
+1464386458.615253	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,238,166).	T	10.3.22.91	205.167.25.101	61094	-
+1464386458.792181	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1985/722024-99999-1985.gz	-	31716	226	Transfer complete	-	-	-	-	-
+1464386459.352683	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,248,175).	T	10.3.22.91	205.167.25.101	63663	-
+1464386459.529720	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1986/722024-99999-1986.gz	-	30733	226	Transfer complete	-	-	-	-	-
+1464386460.087366	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,247,200).	T	10.3.22.91	205.167.25.101	63432	-
+1464386460.264448	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1987/722024-99999-1987.gz	-	30869	226	Transfer complete	-	-	-	-	-
+1464386460.821503	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,243,54).	T	10.3.22.91	205.167.25.101	62262	-
+1464386460.998420	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1988/722024-99999-1988.gz	-	30297	226	Transfer complete	-	-	-	-	-
+1464386461.553742	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,244,59).	T	10.3.22.91	205.167.25.101	62523	-
+1464386461.730875	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1989/722024-99999-1989.gz	-	30741	226	Transfer complete	-	-	-	-	-
+1464386462.326500	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,139).	T	10.3.22.91	205.167.25.101	64395	-
+1464386462.504335	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1990/722024-99999-1990.gz	-	30868	226	Transfer complete	-	-	-	-	-
+1464386463.080355	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,253,92).	T	10.3.22.91	205.167.25.101	64860	-
+1464386463.257309	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1991/722024-99999-1991.gz	-	31592	226	Transfer complete	-	-	-	-	-
+1464386463.824054	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,55).	T	10.3.22.91	205.167.25.101	63031	-
+1464386464.001057	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1992/722024-99999-1992.gz	-	25289	226	Transfer complete	-	-	-	-	-
+1464386464.560921	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,246,10).	T	10.3.22.91	205.167.25.101	62986	-
+1464386464.737901	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1993/722024-99999-1993.gz	-	30171	226	Transfer complete	-	-	-	-	-
+1464386465.294490	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	PASV	-	-	-	227	Entering Passive Mode (205,167,25,101,251,88).	T	10.3.22.91	205.167.25.101	64344	-
+1464386465.471708	CXWv6p3arKYeMETxOg	10.3.22.91	58218	10.167.25.101	21	anonymous	anonymous@	RETR	ftp://10.167.25.101/./pub/data/1994/722024-99999-1994.gz	-	29736	226	Transfer complete	-	-	-	-	-
+#close	2016-05-28-16-43-09
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/output.log b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/output.log
new file mode 100644
index 0000000000..d35b68144f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/output.log
@@ -0,0 +1,4147 @@
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, .
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite/2011
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite/2014
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite/2015
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite/2016
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite/2012
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite/2013
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa/isd-lite
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1974
+CWD, ./pub/data/noaa/1974
+CWD, ./pub/data/noaa/1974
+CWD, ./pub/data/noaa/1974
+CWD, ./pub/data/noaa/1974
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1985
+CWD, ./pub/data/noaa/1985
+CWD, ./pub/data/noaa/1985
+CWD, ./pub/data/noaa/1985
+CWD, ./pub/data/noaa/1985
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1986
+CWD, ./pub/data/noaa/1986
+CWD, ./pub/data/noaa/1986
+CWD, ./pub/data/noaa/1986
+CWD, ./pub/data/noaa/1986
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1974
+CWD, ./pub/data/noaa/1974
+CWD, ./pub/data/noaa/1974
+CWD, ./pub/data/noaa/1974
+CWD, ./pub/data/noaa/1974
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1985
+CWD, ./pub/data/noaa/1985
+CWD, ./pub/data/noaa/1985
+CWD, ./pub/data/noaa/1985
+CWD, ./pub/data/noaa/1985
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1986
+CWD, ./pub/data/noaa/1986
+CWD, ./pub/data/noaa/1986
+CWD, ./pub/data/noaa/1986
+CWD, ./pub/data/noaa/1986
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa/2011
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa/2012
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa/2013
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa/2014
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa/2015
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa/2016
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa/1988
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa/1989
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa/1990
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa/1993
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa/1994
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa/1995
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa/1996
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa/1997
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa/1998
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa/2002
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa/2003
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa/2004
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa/2005
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa/2006
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa/2007
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa/2008
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa/2009
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa/2010
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa/1999
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa/2000
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa/2001
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa/1975
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa/1976
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa/1977
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa/1978
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa/1979
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa/1980
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa/1981
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa/1982
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa/1983
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa/1984
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa/1987
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa/1991
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa/1992
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa/1973
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa
+CWD, ./pub/data/noaa
+CWD, ./pub/data
+CWD, ./pub/data/1975
+CWD, ./pub/data/1975
+CWD, ./pub/data/1975
+CWD, ./pub/data/1975
+CWD, ./pub/data/1975
+CWD, ./pub/data
+CWD, ./pub/data/1976
+CWD, ./pub/data/1976
+CWD, ./pub/data/1976
+CWD, ./pub/data/1976
+CWD, ./pub/data/1976
+CWD, ./pub/data
+CWD, ./pub/data/1977
+CWD, ./pub/data/1977
+CWD, ./pub/data/1977
+CWD, ./pub/data/1977
+CWD, ./pub/data/1977
+CWD, ./pub/data
+CWD, ./pub/data/1978
+CWD, ./pub/data/1978
+CWD, ./pub/data/1978
+CWD, ./pub/data/1978
+CWD, ./pub/data/1978
+CWD, ./pub/data
+CWD, ./pub/data/1979
+CWD, ./pub/data/1979
+CWD, ./pub/data/1979
+CWD, ./pub/data/1979
+CWD, ./pub/data/1979
+CWD, ./pub/data
+CWD, ./pub/data/1980
+CWD, ./pub/data/1980
+CWD, ./pub/data/1980
+CWD, ./pub/data/1980
+CWD, ./pub/data/1980
+CWD, ./pub/data
+CWD, ./pub/data/1981
+CWD, ./pub/data/1981
+CWD, ./pub/data/1981
+CWD, ./pub/data/1981
+CWD, ./pub/data/1981
+CWD, ./pub/data
+CWD, ./pub/data/1982
+CWD, ./pub/data/1982
+CWD, ./pub/data/1982
+CWD, ./pub/data/1982
+CWD, ./pub/data/1982
+CWD, ./pub/data
+CWD, ./pub/data/1983
+CWD, ./pub/data/1983
+CWD, ./pub/data/1983
+CWD, ./pub/data/1983
+CWD, ./pub/data/1983
+CWD, ./pub/data
+CWD, ./pub/data/1984
+CWD, ./pub/data/1984
+CWD, ./pub/data/1984
+CWD, ./pub/data/1984
+CWD, ./pub/data/1984
+CWD, ./pub/data
+CWD, ./pub/data/1985
+CWD, ./pub/data/1985
+CWD, ./pub/data/1985
+CWD, ./pub/data/1985
+CWD, ./pub/data/1985
+CWD, ./pub/data
+CWD, ./pub/data/1986
+CWD, ./pub/data/1986
+CWD, ./pub/data/1986
+CWD, ./pub/data/1986
+CWD, ./pub/data/1986
+CWD, ./pub/data
+CWD, ./pub/data/1987
+CWD, ./pub/data/1987
+CWD, ./pub/data/1987
+CWD, ./pub/data/1987
+CWD, ./pub/data/1987
+CWD, ./pub/data
+CWD, ./pub/data/1988
+CWD, ./pub/data/1988
+CWD, ./pub/data/1988
+CWD, ./pub/data/1988
+CWD, ./pub/data/1988
+CWD, ./pub/data
+CWD, ./pub/data/1989
+CWD, ./pub/data/1989
+CWD, ./pub/data/1989
+CWD, ./pub/data/1989
+CWD, ./pub/data/1989
+CWD, ./pub/data
+CWD, ./pub/data/1990
+CWD, ./pub/data/1990
+CWD, ./pub/data/1990
+CWD, ./pub/data/1990
+CWD, ./pub/data/1990
+CWD, ./pub/data
+CWD, ./pub/data/1991
+CWD, ./pub/data/1991
+CWD, ./pub/data/1991
+CWD, ./pub/data/1991
+CWD, ./pub/data/1991
+CWD, ./pub/data
+CWD, ./pub/data/1992
+CWD, ./pub/data/1992
+CWD, ./pub/data/1992
+CWD, ./pub/data/1992
+CWD, ./pub/data/1992
+CWD, ./pub/data
+CWD, ./pub/data/1993
+CWD, ./pub/data/1993
+CWD, ./pub/data/1993
+CWD, ./pub/data/1993
+CWD, ./pub/data/1993
+CWD, ./pub/data
+CWD, ./pub/data/1994
+CWD, ./pub/data/1994
+CWD, ./pub/data/1994
+CWD, ./pub/data/1994
+CWD, ./pub/data/1994
+CWD, ./pub/data
+CWD, ./pub/data/1995
+CWD, ./pub/data/1995
+CWD, ./pub/data/1995
+CWD, ./pub/data/1995
+CWD, ./pub/data/1995
+CWD, ./pub/data
+CWD, ./pub/data/1996
+CWD, ./pub/data/1996
+CWD, ./pub/data/1996
+CWD, ./pub/data/1996
+CWD, ./pub/data/1996
+CWD, ./pub/data
+CWD, ./pub/data/1997
+CWD, ./pub/data/1997
+CWD, ./pub/data/1997
+CWD, ./pub/data/1997
+CWD, ./pub/data/1997
+CWD, ./pub/data
+CWD, ./pub/data/1998
+CWD, ./pub/data/1998
+CWD, ./pub/data/1998
+CWD, ./pub/data/1998
+CWD, ./pub/data/1998
+CWD, ./pub/data
+CWD, ./pub/data/1999
+CWD, ./pub/data/1999
+CWD, ./pub/data/1999
+CWD, ./pub/data/1999
+CWD, ./pub/data/1999
+CWD, ./pub/data
+CWD, ./pub/data/2000
+CWD, ./pub/data/2000
+CWD, ./pub/data/2000
+CWD, ./pub/data/2000
+CWD, ./pub/data/2000
+CWD, ./pub/data
+CWD, ./pub/data/2001
+CWD, ./pub/data/2001
+CWD, ./pub/data/2001
+CWD, ./pub/data/2001
+CWD, ./pub/data/2001
+CWD, ./pub/data
+CWD, ./pub/data/2002
+CWD, ./pub/data/2002
+CWD, ./pub/data/2002
+CWD, ./pub/data/2002
+CWD, ./pub/data/2002
+CWD, ./pub/data
+CWD, ./pub/data/2003
+CWD, ./pub/data/2003
+CWD, ./pub/data/2003
+CWD, ./pub/data/2003
+CWD, ./pub/data/2003
+CWD, ./pub/data
+CWD, ./pub/data/2004
+CWD, ./pub/data/2004
+CWD, ./pub/data/2004
+CWD, ./pub/data/2004
+CWD, ./pub/data/2004
+CWD, ./pub/data
+CWD, ./pub/data/2005
+CWD, ./pub/data/2005
+CWD, ./pub/data/2005
+CWD, ./pub/data/2005
+CWD, ./pub/data/2005
+CWD, ./pub/data
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data
+CWD, ./pub/data/2005
+CWD, ./pub/data/2005
+CWD, ./pub/data/2005
+CWD, ./pub/data/2005
+CWD, ./pub/data/2005
+CWD, ./pub/data
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data
+CWD, ./pub/data/2002
+CWD, ./pub/data/2002
+CWD, ./pub/data/2002
+CWD, ./pub/data/2002
+CWD, ./pub/data/2002
+CWD, ./pub/data
+CWD, ./pub/data/2003
+CWD, ./pub/data/2003
+CWD, ./pub/data/2003
+CWD, ./pub/data/2003
+CWD, ./pub/data/2003
+CWD, ./pub/data
+CWD, ./pub/data/2004
+CWD, ./pub/data/2004
+CWD, ./pub/data/2004
+CWD, ./pub/data/2004
+CWD, ./pub/data/2004
+CWD, ./pub/data
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data
+CWD, ./pub/data/2002
+CWD, ./pub/data/2002
+CWD, ./pub/data/2002
+CWD, ./pub/data/2002
+CWD, ./pub/data/2002
+CWD, ./pub/data
+CWD, ./pub/data/2003
+CWD, ./pub/data/2003
+CWD, ./pub/data/2003
+CWD, ./pub/data/2003
+CWD, ./pub/data/2003
+CWD, ./pub/data
+CWD, ./pub/data/2004
+CWD, ./pub/data/2004
+CWD, ./pub/data/2004
+CWD, ./pub/data/2004
+CWD, ./pub/data/2004
+CWD, ./pub/data
+CWD, ./pub/data/2005
+CWD, ./pub/data/2005
+CWD, ./pub/data/2005
+CWD, ./pub/data/2005
+CWD, ./pub/data/2005
+CWD, ./pub/data
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data/2006
+CWD, ./pub/data
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data/2007
+CWD, ./pub/data
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data/2008
+CWD, ./pub/data
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data/2009
+CWD, ./pub/data
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data/2010
+CWD, ./pub/data
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data/2011
+CWD, ./pub/data
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data/2012
+CWD, ./pub/data
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data/2013
+CWD, ./pub/data
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data/2014
+CWD, ./pub/data
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data/2015
+CWD, ./pub/data
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data/2016
+CWD, ./pub/data
+CWD, ./pub/data/1962
+CWD, ./pub/data/1962
+CWD, ./pub/data/1962
+CWD, ./pub/data/1962
+CWD, ./pub/data/1962
+CWD, ./pub/data
+CWD, ./pub/data/1983
+CWD, ./pub/data/1983
+CWD, ./pub/data/1983
+CWD, ./pub/data/1983
+CWD, ./pub/data/1983
+CWD, ./pub/data
+CWD, ./pub/data/1984
+CWD, ./pub/data/1984
+CWD, ./pub/data/1984
+CWD, ./pub/data/1984
+CWD, ./pub/data/1984
+CWD, ./pub/data
+CWD, ./pub/data/1985
+CWD, ./pub/data/1985
+CWD, ./pub/data/1985
+CWD, ./pub/data/1985
+CWD, ./pub/data/1985
+CWD, ./pub/data
+CWD, ./pub/data/1986
+CWD, ./pub/data/1986
+CWD, ./pub/data/1986
+CWD, ./pub/data/1986
+CWD, ./pub/data/1986
+CWD, ./pub/data
+CWD, ./pub/data/1987
+CWD, ./pub/data/1987
+CWD, ./pub/data/1987
+CWD, ./pub/data/1987
+CWD, ./pub/data/1987
+CWD, ./pub/data
+CWD, ./pub/data/1988
+CWD, ./pub/data/1988
+CWD, ./pub/data/1988
+CWD, ./pub/data/1988
+CWD, ./pub/data/1988
+CWD, ./pub/data
+CWD, ./pub/data/1989
+CWD, ./pub/data/1989
+CWD, ./pub/data/1989
+CWD, ./pub/data/1989
+CWD, ./pub/data/1989
+CWD, ./pub/data
+CWD, ./pub/data/1990
+CWD, ./pub/data/1990
+CWD, ./pub/data/1990
+CWD, ./pub/data/1990
+CWD, ./pub/data/1990
+CWD, ./pub/data
+CWD, ./pub/data/1991
+CWD, ./pub/data/1991
+CWD, ./pub/data/1991
+CWD, ./pub/data/1991
+CWD, ./pub/data/1991
+CWD, ./pub/data
+CWD, ./pub/data/1992
+CWD, ./pub/data/1992
+CWD, ./pub/data/1992
+CWD, ./pub/data/1992
+CWD, ./pub/data/1992
+CWD, ./pub/data
+CWD, ./pub/data/1993
+CWD, ./pub/data/1993
+CWD, ./pub/data/1993
+CWD, ./pub/data/1993
+CWD, ./pub/data/1993
+CWD, ./pub/data
+CWD, ./pub/data/1994
+CWD, ./pub/data/1994
+CWD, ./pub/data/1994
+CWD, ./pub/data/1994
+CWD, ./pub/data/1994
+CWD, ./pub/data
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-get-file-size/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-get-file-size/ftp.log
new file mode 100644
index 0000000000..e4e7d8b877
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-get-file-size/ftp.log
@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ftp
+#open	2016-03-11-17-40-18
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
+#types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
+1457455890.667768	CXWv6p3arKYeMETxOg	192.168.21.95	54089	164.107.123.6	21	<unknown>	-	PASV	-	-	-	227	Entering Passive Mode (164,107,123,6,183,187)	T	192.168.21.95	164.107.123.6	47035	-
+1457455890.667768	CXWv6p3arKYeMETxOg	192.168.21.95	54089	164.107.123.6	21	<unknown>	-	PASV	-	-	-	227	Entering Passive Mode (164,107,123,6,183,187)	-	-	-	-	-
+1457455891.781896	CXWv6p3arKYeMETxOg	192.168.21.95	54089	164.107.123.6	21	<unknown>	-	PASV	-	-	-	227	Entering Passive Mode (164,107,123,6,183,231)	T	192.168.21.95	164.107.123.6	47079	FaFkMs3Gc0F1kvwXD
+1457455894.380514	CXWv6p3arKYeMETxOg	192.168.21.95	54089	164.107.123.6	21	<unknown>	-	PASV	-	-	-	227	Entering Passive Mode (164,107,123,6,183,211)	T	192.168.21.95	164.107.123.6	47059	Fm58Rm14ZG2Ai7nW9g
+1457455900.398202	CXWv6p3arKYeMETxOg	192.168.21.95	54089	164.107.123.6	21	<unknown>	-	PASV	-	-	-	227	Entering Passive Mode (164,107,123,6,183,197)	T	192.168.21.95	164.107.123.6	47045	FnxQXApi8WTTWNyH1
+1457455900.530943	CXWv6p3arKYeMETxOg	192.168.21.95	54089	164.107.123.6	21	<unknown>	-	RETR	ftp://164.107.123.6/mirror/internic/rfc/rfc1001.txt	text/plain	154427	226	File send OK.	-	-	-	-	FJblKh2PaOnGa8zcmg
+#close	2016-03-11-17-40-18
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log b/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log
index 774163695e..3c30a39f3c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-41-00
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1237440095.634312	CXWv6p3arKYeMETxOg	192.168.3.103	54102	128.146.216.51	80	1	POST	www.osu.edu	/	-	1.1	curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3	2001	60731	200	OK	100	Continue	-	(empty)	-	-	-	F7Wq2D1IW7Cp2nfZMa	text/plain	FFhC1T3ieHHQqVBLpc	text/html
-#close	2016-01-15-18-41-00
+#open	2016-06-15-05-40-35
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1237440095.634312	CXWv6p3arKYeMETxOg	192.168.3.103	54102	128.146.216.51	80	1	POST	www.osu.edu	/	-	1.1	curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3	2001	60731	200	OK	100	Continue	(empty)	-	-	-	F7Wq2D1IW7Cp2nfZMa	-	text/plain	FFhC1T3ieHHQqVBLpc	-	text/html
+#close	2016-06-15-05-40-35
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/http.log
new file mode 100644
index 0000000000..a5b1de6025
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2016-06-15-05-40-51
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1452204358.910557	CXWv6p3arKYeMETxOg	192.168.122.130	49157	202.7.177.41	80	1	-	-	-	-	1.1	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	FGec0Miu9FfcsYUT4	-	text/plain
+#close	2016-06-15-05-40-51
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log
new file mode 100644
index 0000000000..92a669b060
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2016-03-07-21-06-28
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1452204358.172926	CXWv6p3arKYeMETxOg	192.168.122.130	49157	202.7.177.41	80	bad_HTTP_request_with_version	-	F	bro
+#close	2016-03-07-21-06-28
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/http.log
index 121c1499dc..18b0eb9bf6 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-41-02
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1443732977.728092	CXWv6p3arKYeMETxOg	::1	52522	::1	80	1	CONNECT	secure.newegg.com	secure.newegg.com:443	-	1.0	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0	0	0	200	Connection Established	-	-	-	(empty)	-	-	PROXY-CONNECTION -> keep-alive	-	-	-	-
-#close	2016-01-15-18-41-02
+#open	2016-06-15-05-41-12
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1443732977.728092	CXWv6p3arKYeMETxOg	::1	52522	::1	80	1	CONNECT	secure.newegg.com	secure.newegg.com:443	-	1.0	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0	0	0	200	Connection Established	-	-	(empty)	-	-	PROXY-CONNECTION -> keep-alive	-	-	-	-	-	-
+#close	2016-06-15-05-41-12
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log
index 0c2d648a7b..3b5ac262c8 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-41-01
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1078232252.284420	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	1	CONNECT	-	mailin03.sul.t-online.de:25 /	-	1.0	-	0	0	200	Connection established	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2016-01-15-18-41-01
+#open	2016-06-15-05-41-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1078232252.284420	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	1	CONNECT	-	mailin03.sul.t-online.de:25 /	-	1.0	-	0	0	200	Connection established	-	-	(empty)	-	-	-	-	-	-	-	-	-
+#close	2016-06-15-05-41-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-filename/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-filename/http.log
new file mode 100644
index 0000000000..ada05f67d4
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-filename/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2016-06-15-05-55-29
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1445000735.104954	CXWv6p3arKYeMETxOg	10.1.9.63	63526	54.175.222.246	80	1	GET	httpbin.org	/response-headers?Content-Type=application/octet-stream; charset=UTF-8&Content-Disposition=attachment; filename="test.json"	-	1.1	curl/7.45.0	0	191	200	OK	-	-	(empty)	-	-	-	-	-	-	FygKthZCYFLgVzwY8	test.json	text/json
+#close	2016-06-15-05-55-29
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
index 353348a40d..47dd3c55ff 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
@@ -3,56 +3,56 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-20-54-31
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1354328870.191989	CXWv6p3arKYeMETxOg	128.2.6.136	46562	173.194.75.103	80	1	OPTIONS	www.google.com	*	-	1.1	-	0	962	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FKgccv1sOsIPuN3b73	text/html
-1354328874.237327	CjhGID4nQcgTWjvg4c	128.2.6.136	46563	173.194.75.103	80	1	OPTIONS	www.google.com	(empty)	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FWUdF12OgqGLhf3NPl	text/html
-1354328874.299063	CCvvfg3TEfuqmmG4bh	128.2.6.136	46564	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FrYoRN2EwpZyXbyvF8	text/html
-1354328874.342591	CsRx2w45OKnoww6xl4	128.2.6.136	46565	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FJPouz1lbXUsa4Ef1	text/html
-1354328874.364020	CRJuHdVW0XPVINV8a	128.2.6.136	46566	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	0	43911	200	OK	-	-	-	(empty)	-	-	-	-	-	FbONWS332vB7QP1sDi	text/html
-1354328878.470424	CPbrpk1qSsw6ESzHV4	128.2.6.136	46567	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	0	43983	200	OK	-	-	-	(empty)	-	-	-	-	-	Fw8xGD2taqNAOVvI88	text/html
-1354328882.575456	C6pKV8GSxOnSLghOa	128.2.6.136	46568	173.194.75.103	80	1	GET	www.google.com	/HTTP/1.1	-	1.0	-	0	1207	403	Forbidden	-	-	-	(empty)	-	-	-	-	-	FdEQPY3H4Z608y5yq1	text/html
-1354328882.928027	CIPOse170MGiRM1Qf4	128.2.6.136	46569	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FcNjaW3kDUju84cG3	text/html
-1354328882.968948	C7XEbhP654jzLoe3a	128.2.6.136	46570	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Fe8v8c49yLvORp3zva	text/html
-1354328882.990373	CJ3xTn1c4Zw9TmAE05	128.2.6.136	46571	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	0	43913	200	OK	-	-	-	(empty)	-	-	-	-	-	FAbDo7c8yz5wducYb	text/html
-1354328887.114613	CMXxB5GvmoxJFXdTa	128.2.6.136	46572	173.194.75.103	80	1	-	-	-	-	1.1	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	F7zifu3d5nGrdGffO4	text/html
-1354328891.161077	Caby8b1slFea8xwSmb	128.2.6.136	46573	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FNf9mc2b0BWWP1UxWe	text/html
-1354328891.204740	Che1bq3i2rO3KD1Syg	128.2.6.136	46574	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FG2K813sKEZvZ2TNY4	text/html
-1354328891.245592	C3SfNE4BWaU4aSuwkc	128.2.6.136	46575	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FOOeqs4Vg0Zs3rcVYi	text/html
-1354328891.287655	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	F2wfYn1yFdeOeHFYA8	text/html
-1354328891.309065	CwSkQu4eWZCH7OONC1	128.2.6.136	46577	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	1.1	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	F1d9bG11AdUoYIAPna	text/html
-1354328895.355012	CfTOmO0HKorjr8Zp7	128.2.6.136	46578	173.194.75.103	80	1	CCM_POST	www.google.com	/HTTP/1.1	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	F73Xpt400aDAjp1tOj	text/html
-1354328895.416133	CzA03V1VcgagLjnO92	128.2.6.136	46579	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FANgwp2fEJblWfGtqk	text/html
-1354328895.459490	CyAhVIzHqb7t7kv28	128.2.6.136	46580	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FUelQv4zC3B2JEWwQ6	text/html
-1354328895.480865	Cab0vO1xNYSS2hJkle	128.2.6.136	46581	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	1.1	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FodlEg40uUijFetJb9	text/html
-1354328899.526682	Cx2FqO23omNawSNrxj	128.2.6.136	46582	173.194.75.103	80	1	CONNECT	www.google.com	/	-	1.1	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FgQlB81dSyLHN5T8Q4	text/html
-1354328903.572533	Cx3C534wEyF3OvvcQe	128.2.6.136	46583	173.194.75.103	80	1	CONNECT	www.google.com	/HTTP/1.1	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FW2UCD2e0jxAndsTK3	text/html
-1354328903.634196	CkDsfG2YIeWJmXWNWj	128.2.6.136	46584	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FKANAL2sLvMgJdaEKa	text/html
-1354328903.676395	CUKS0W3HFYOnBqSE5e	128.2.6.136	46585	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FNRuYy4eahAmiehFvd	text/html
-1354328903.697693	CRrfvP2lalMAYOCLhj	128.2.6.136	46586	173.194.75.103	80	1	CONNECT	www.google.com	/	-	1.1	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FAVGIL2N6x9nLyfGHh	text/html
-1354328907.743696	Cn78a440HlxuyZKs6f	128.2.6.136	46587	173.194.75.103	80	1	TRACE	www.google.com	/	-	1.1	-	0	960	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FKbiICMAvCsO6CFjk	text/html
-1354328911.790590	CUof3F2yAIid8QS3dk	128.2.6.136	46588	173.194.75.103	80	1	TRACE	www.google.com	/HTTP/1.1	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FD5riIpYe5BLR0aok	text/html
-1354328911.853464	CojBOU3CXcLHl1r6x1	128.2.6.136	46589	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FUzHwP1gT2UJYnUpUi	text/html
-1354328911.897044	CJzVQRGJrX6V15ik7	128.2.6.136	46590	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FfLe59279TLFl2hHKc	text/html
-1354328911.918511	ClAbxY1nmdjCuo0Le2	128.2.6.136	46591	173.194.75.103	80	1	TRACE	www.google.com	/	-	1.1	-	0	960	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FQrvtP3qpKeKPxn5Gf	text/html
-1354328915.964678	CwG0BF1VXE0gWgs78	128.2.6.136	46592	173.194.75.103	80	1	DELETE	www.google.com	/	-	1.1	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	Fs5qiV3XoBOExKLdi4	text/html
-1354328920.010458	CisNaL1Cm73CiNOmcg	128.2.6.136	46593	173.194.75.103	80	1	DELETE	www.google.com	/HTTP/1.1	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FpkucFbcGcM4CNkZf	text/html
-1354328920.072101	CBQnJn22qN8TOeeZil	128.2.6.136	46594	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FBu6A04t7ZjbY0dCi8	text/html
-1354328920.114526	CbEsuD3dgDDngdlbKf	128.2.6.136	46595	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Fk7Se84fbLvbZEfBCd	text/html
-1354328920.136714	Cktvtw2VqwbTG0OgWk	128.2.6.136	46596	173.194.75.103	80	1	DELETE	www.google.com	/	-	1.1	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FNb8ZY2Zvw0MpF1qU4	text/html
-1354328924.183211	CKfF8L3XSsgT2WYDN	128.2.6.136	46597	173.194.75.103	80	1	PUT	www.google.com	/	-	1.0	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	Fo23U03XCMamm7QQWe	text/html
-1354328924.224567	CHrnr1115j0JRSXjG6	128.2.6.136	46598	173.194.75.103	80	1	PUT	www.google.com	/HTTP/1.1	-	1.0	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	FqyVeZqSV8Tz7hfT1	text/html
-1354328924.287402	Cnkr172qPtDAaK7Xd	128.2.6.136	46599	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Ft15j5I9xSpfcA7Fh	text/html
-1354328924.328257	CcxZj6188NwHGl3a16	128.2.6.136	46600	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FyF5ac1kxwCDvXZKz7	text/html
-1354328924.350343	CUqYZc2XzbfnZKbgT	128.2.6.136	46601	173.194.75.103	80	1	PUT	www.google.com	/	-	1.0	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	FuGiTK15gnR7f8Uti2	text/html
-1354328924.391728	CVdnYXVEtNT1lQVL6	128.2.6.136	46602	173.194.75.103	80	1	POST	www.google.com	/	-	1.0	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	F93zuy2MGUDDPwg0xl	text/html
-1354328924.433150	CbNmy32YFt3gdIjV8	128.2.6.136	46603	173.194.75.103	80	1	POST	www.google.com	/HTTP/1.1	-	1.0	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	FRJvy31aqXlFemaBfc	text/html
-1354328924.496732	COTmF91mGWcb4zV7W5	128.2.6.136	46604	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Fcnnrf1A8AgOFzLHM	text/html
-1354328924.537671	CuChlg202P8sUFuXrg	128.2.6.136	46605	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FI3I73110YtFWCuaG3	text/html
-1354328924.559704	CZTTFm2GrMAs8leAyl	128.2.6.136	46606	173.194.75.103	80	1	HEAD	www.google.com	/	-	1.1	-	0	0	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
-1354328928.625437	CV23rC3tBHfPhMUPtf	128.2.6.136	46607	173.194.75.103	80	1	HEAD	www.google.com	/	-	1.1	-	0	0	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
-1354328932.692706	CkaPGx2P0Y3W5aHVFk	128.2.6.136	46608	173.194.75.103	80	1	HEAD	www.google.com	/HTTP/1.1	-	1.0	-	0	0	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	-	-
-1354328932.754657	CY93mM3aViMiLKuSw3	128.2.6.136	46609	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FaVAsywxxOtGAzel8	text/html
-1354328932.796568	CXgISq6dA2DVPzqp9	128.2.6.136	46610	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FmzgEKnyfPnyZqmh	text/html
-#close	2016-01-15-20-54-32
+#open	2016-06-15-05-41-23
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1354328870.191989	CXWv6p3arKYeMETxOg	128.2.6.136	46562	173.194.75.103	80	1	OPTIONS	www.google.com	*	-	1.1	-	0	962	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FKgccv1sOsIPuN3b73	-	text/html
+1354328874.237327	CjhGID4nQcgTWjvg4c	128.2.6.136	46563	173.194.75.103	80	1	OPTIONS	www.google.com	(empty)	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FWUdF12OgqGLhf3NPl	-	text/html
+1354328874.299063	CCvvfg3TEfuqmmG4bh	128.2.6.136	46564	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FrYoRN2EwpZyXbyvF8	-	text/html
+1354328874.342591	CsRx2w45OKnoww6xl4	128.2.6.136	46565	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FJPouz1lbXUsa4Ef1	-	text/html
+1354328874.364020	CRJuHdVW0XPVINV8a	128.2.6.136	46566	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	0	43911	200	OK	-	-	(empty)	-	-	-	-	-	-	FbONWS332vB7QP1sDi	-	text/html
+1354328878.470424	CPbrpk1qSsw6ESzHV4	128.2.6.136	46567	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	0	43983	200	OK	-	-	(empty)	-	-	-	-	-	-	Fw8xGD2taqNAOVvI88	-	text/html
+1354328882.575456	C6pKV8GSxOnSLghOa	128.2.6.136	46568	173.194.75.103	80	1	GET	www.google.com	/HTTP/1.1	-	1.0	-	0	1207	403	Forbidden	-	-	(empty)	-	-	-	-	-	-	FdEQPY3H4Z608y5yq1	-	text/html
+1354328882.928027	CIPOse170MGiRM1Qf4	128.2.6.136	46569	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FcNjaW3kDUju84cG3	-	text/html
+1354328882.968948	C7XEbhP654jzLoe3a	128.2.6.136	46570	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fe8v8c49yLvORp3zva	-	text/html
+1354328882.990373	CJ3xTn1c4Zw9TmAE05	128.2.6.136	46571	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	0	43913	200	OK	-	-	(empty)	-	-	-	-	-	-	FAbDo7c8yz5wducYb	-	text/html
+1354328887.114613	CMXxB5GvmoxJFXdTa	128.2.6.136	46572	173.194.75.103	80	1	-	-	-	-	1.1	-	0	961	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	F7zifu3d5nGrdGffO4	-	text/html
+1354328891.161077	Caby8b1slFea8xwSmb	128.2.6.136	46573	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FNf9mc2b0BWWP1UxWe	-	text/html
+1354328891.204740	Che1bq3i2rO3KD1Syg	128.2.6.136	46574	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FG2K813sKEZvZ2TNY4	-	text/html
+1354328891.245592	C3SfNE4BWaU4aSuwkc	128.2.6.136	46575	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FOOeqs4Vg0Zs3rcVYi	-	text/html
+1354328891.287655	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	F2wfYn1yFdeOeHFYA8	-	text/html
+1354328891.309065	CwSkQu4eWZCH7OONC1	128.2.6.136	46577	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	1.1	-	0	963	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	F1d9bG11AdUoYIAPna	-	text/html
+1354328895.355012	CfTOmO0HKorjr8Zp7	128.2.6.136	46578	173.194.75.103	80	1	CCM_POST	www.google.com	/HTTP/1.1	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	F73Xpt400aDAjp1tOj	-	text/html
+1354328895.416133	CzA03V1VcgagLjnO92	128.2.6.136	46579	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FANgwp2fEJblWfGtqk	-	text/html
+1354328895.459490	CyAhVIzHqb7t7kv28	128.2.6.136	46580	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FUelQv4zC3B2JEWwQ6	-	text/html
+1354328895.480865	Cab0vO1xNYSS2hJkle	128.2.6.136	46581	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	1.1	-	0	963	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FodlEg40uUijFetJb9	-	text/html
+1354328899.526682	Cx2FqO23omNawSNrxj	128.2.6.136	46582	173.194.75.103	80	1	CONNECT	www.google.com	/	-	1.1	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FgQlB81dSyLHN5T8Q4	-	text/html
+1354328903.572533	Cx3C534wEyF3OvvcQe	128.2.6.136	46583	173.194.75.103	80	1	CONNECT	www.google.com	/HTTP/1.1	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FW2UCD2e0jxAndsTK3	-	text/html
+1354328903.634196	CkDsfG2YIeWJmXWNWj	128.2.6.136	46584	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FKANAL2sLvMgJdaEKa	-	text/html
+1354328903.676395	CUKS0W3HFYOnBqSE5e	128.2.6.136	46585	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FNRuYy4eahAmiehFvd	-	text/html
+1354328903.697693	CRrfvP2lalMAYOCLhj	128.2.6.136	46586	173.194.75.103	80	1	CONNECT	www.google.com	/	-	1.1	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FAVGIL2N6x9nLyfGHh	-	text/html
+1354328907.743696	Cn78a440HlxuyZKs6f	128.2.6.136	46587	173.194.75.103	80	1	TRACE	www.google.com	/	-	1.1	-	0	960	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FKbiICMAvCsO6CFjk	-	text/html
+1354328911.790590	CUof3F2yAIid8QS3dk	128.2.6.136	46588	173.194.75.103	80	1	TRACE	www.google.com	/HTTP/1.1	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FD5riIpYe5BLR0aok	-	text/html
+1354328911.853464	CojBOU3CXcLHl1r6x1	128.2.6.136	46589	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FUzHwP1gT2UJYnUpUi	-	text/html
+1354328911.897044	CJzVQRGJrX6V15ik7	128.2.6.136	46590	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FfLe59279TLFl2hHKc	-	text/html
+1354328911.918511	ClAbxY1nmdjCuo0Le2	128.2.6.136	46591	173.194.75.103	80	1	TRACE	www.google.com	/	-	1.1	-	0	960	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FQrvtP3qpKeKPxn5Gf	-	text/html
+1354328915.964678	CwG0BF1VXE0gWgs78	128.2.6.136	46592	173.194.75.103	80	1	DELETE	www.google.com	/	-	1.1	-	0	961	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	Fs5qiV3XoBOExKLdi4	-	text/html
+1354328920.010458	CisNaL1Cm73CiNOmcg	128.2.6.136	46593	173.194.75.103	80	1	DELETE	www.google.com	/HTTP/1.1	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FpkucFbcGcM4CNkZf	-	text/html
+1354328920.072101	CBQnJn22qN8TOeeZil	128.2.6.136	46594	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FBu6A04t7ZjbY0dCi8	-	text/html
+1354328920.114526	CbEsuD3dgDDngdlbKf	128.2.6.136	46595	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fk7Se84fbLvbZEfBCd	-	text/html
+1354328920.136714	Cktvtw2VqwbTG0OgWk	128.2.6.136	46596	173.194.75.103	80	1	DELETE	www.google.com	/	-	1.1	-	0	961	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FNb8ZY2Zvw0MpF1qU4	-	text/html
+1354328924.183211	CKfF8L3XSsgT2WYDN	128.2.6.136	46597	173.194.75.103	80	1	PUT	www.google.com	/	-	1.0	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	Fo23U03XCMamm7QQWe	-	text/html
+1354328924.224567	CHrnr1115j0JRSXjG6	128.2.6.136	46598	173.194.75.103	80	1	PUT	www.google.com	/HTTP/1.1	-	1.0	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FqyVeZqSV8Tz7hfT1	-	text/html
+1354328924.287402	Cnkr172qPtDAaK7Xd	128.2.6.136	46599	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Ft15j5I9xSpfcA7Fh	-	text/html
+1354328924.328257	CcxZj6188NwHGl3a16	128.2.6.136	46600	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FyF5ac1kxwCDvXZKz7	-	text/html
+1354328924.350343	CUqYZc2XzbfnZKbgT	128.2.6.136	46601	173.194.75.103	80	1	PUT	www.google.com	/	-	1.0	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FuGiTK15gnR7f8Uti2	-	text/html
+1354328924.391728	CVdnYXVEtNT1lQVL6	128.2.6.136	46602	173.194.75.103	80	1	POST	www.google.com	/	-	1.0	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	F93zuy2MGUDDPwg0xl	-	text/html
+1354328924.433150	CbNmy32YFt3gdIjV8	128.2.6.136	46603	173.194.75.103	80	1	POST	www.google.com	/HTTP/1.1	-	1.0	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FRJvy31aqXlFemaBfc	-	text/html
+1354328924.496732	COTmF91mGWcb4zV7W5	128.2.6.136	46604	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fcnnrf1A8AgOFzLHM	-	text/html
+1354328924.537671	CuChlg202P8sUFuXrg	128.2.6.136	46605	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FI3I73110YtFWCuaG3	-	text/html
+1354328924.559704	CZTTFm2GrMAs8leAyl	128.2.6.136	46606	173.194.75.103	80	1	HEAD	www.google.com	/	-	1.1	-	0	0	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1354328928.625437	CV23rC3tBHfPhMUPtf	128.2.6.136	46607	173.194.75.103	80	1	HEAD	www.google.com	/	-	1.1	-	0	0	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1354328932.692706	CkaPGx2P0Y3W5aHVFk	128.2.6.136	46608	173.194.75.103	80	1	HEAD	www.google.com	/HTTP/1.1	-	1.0	-	0	0	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1354328932.754657	CY93mM3aViMiLKuSw3	128.2.6.136	46609	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FaVAsywxxOtGAzel8	-	text/html
+1354328932.796568	CXgISq6dA2DVPzqp9	128.2.6.136	46610	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FmzgEKnyfPnyZqmh	-	text/html
+#close	2016-06-15-05-41-23
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
index e10847fe2d..aa30f48131 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-01-15-20-54-31
+#open	2016-03-07-21-06-12
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1354328874.237327	CjhGID4nQcgTWjvg4c	128.2.6.136	46563	173.194.75.103	80	missing_HTTP_uri	-	F	bro
@@ -13,9 +13,9 @@
 1354328882.949510	C7XEbhP654jzLoe3a	128.2.6.136	46570	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328887.094494	CMXxB5GvmoxJFXdTa	128.2.6.136	46572	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328891.141058	Caby8b1slFea8xwSmb	128.2.6.136	46573	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.183942	Che1bq3i2rO3KD1Syg	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.183942	Che1bq3i2rO3KD1Syg	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request_with_version	-	F	bro
 1354328891.226199	C3SfNE4BWaU4aSuwkc	128.2.6.136	46575	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.267625	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.267625	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request_with_version	-	F	bro
 1354328891.309065	CwSkQu4eWZCH7OONC1	128.2.6.136	46577	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
 1354328895.355012	CfTOmO0HKorjr8Zp7	128.2.6.136	46578	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
 1354328895.396634	CzA03V1VcgagLjnO92	128.2.6.136	46579	173.194.75.103	80	bad_HTTP_request	-	F	bro
@@ -33,4 +33,4 @@
 1354328924.518204	CuChlg202P8sUFuXrg	128.2.6.136	46605	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328932.734579	CY93mM3aViMiLKuSw3	128.2.6.136	46609	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328932.776609	CXgISq6dA2DVPzqp9	128.2.6.136	46610	173.194.75.103	80	bad_HTTP_request	-	F	bro
-#close	2016-01-15-20-54-32
+#close	2016-03-07-21-06-12
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log
index d02f2a9bcc..7bf26bae05 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log
@@ -3,12 +3,12 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-41-04
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1258577884.844956	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	1	GET	www.mozilla.org	/style/enhanced.css	http://www.mozilla.org/projects/calendar/	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	2675	200	OK	-	-	-	(empty)	-	-	-	-	-	Fa7DPI2ItmEOoVqyYj	text/plain
-1258577884.960135	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	2	GET	www.mozilla.org	/script/urchin.js	http://www.mozilla.org/projects/calendar/	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	21421	200	OK	-	-	-	(empty)	-	-	-	-	-	FnBh5P1KP0SnMzl3Qj	text/plain
-1258577885.317160	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	3	GET	www.mozilla.org	/images/template/screen/bullet_utility.png	http://www.mozilla.org/style/screen.css	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	94	200	OK	-	-	-	(empty)	-	-	-	-	-	F2TV5w2Kwn3G7doSk5	image/gif
-1258577885.349639	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	4	GET	www.mozilla.org	/images/template/screen/key-point-top.png	http://www.mozilla.org/style/screen.css	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	2349	200	OK	-	-	-	(empty)	-	-	-	-	-	F4kk4T3Unyqtkczzue	image/png
-1258577885.394612	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	5	GET	www.mozilla.org	/projects/calendar/images/header-sunbird.png	http://www.mozilla.org/projects/calendar/calendar.css	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	27579	200	OK	-	-	-	(empty)	-	-	-	-	-	FcB26G4nL7jRheOyA8	image/png
-#close	2016-01-15-18-41-04
+#open	2016-06-15-05-41-41
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1258577884.844956	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	1	GET	www.mozilla.org	/style/enhanced.css	http://www.mozilla.org/projects/calendar/	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	2675	200	OK	-	-	(empty)	-	-	-	-	-	-	Fa7DPI2ItmEOoVqyYj	-	text/plain
+1258577884.960135	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	2	GET	www.mozilla.org	/script/urchin.js	http://www.mozilla.org/projects/calendar/	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	21421	200	OK	-	-	(empty)	-	-	-	-	-	-	FnBh5P1KP0SnMzl3Qj	-	text/plain
+1258577885.317160	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	3	GET	www.mozilla.org	/images/template/screen/bullet_utility.png	http://www.mozilla.org/style/screen.css	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	94	200	OK	-	-	(empty)	-	-	-	-	-	-	F2TV5w2Kwn3G7doSk5	-	image/gif
+1258577885.349639	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	4	GET	www.mozilla.org	/images/template/screen/key-point-top.png	http://www.mozilla.org/style/screen.css	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	2349	200	OK	-	-	(empty)	-	-	-	-	-	-	F4kk4T3Unyqtkczzue	-	image/png
+1258577885.394612	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	5	GET	www.mozilla.org	/projects/calendar/images/header-sunbird.png	http://www.mozilla.org/projects/calendar/calendar.css	1.1	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	27579	200	OK	-	-	(empty)	-	-	-	-	-	-	FcB26G4nL7jRheOyA8	-	image/png
+#close	2016-06-15-05-41-41
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.missing-zlib-header/http.log b/testing/btest/Baseline/scripts.base.protocols.http.missing-zlib-header/http.log
index 059d4a6a28..ebdca116bf 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.missing-zlib-header/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.missing-zlib-header/http.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-41-05
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1232039472.314927	CXWv6p3arKYeMETxOg	237.244.174.255	1905	79.218.110.244	80	1	GET	ads1.msn.com	/library/dap.js	http://zone.msn.com/en/root/default.htm	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)	0	13249	200	OK	-	-	-	(empty)	-	-	-	-	-	FBcNS3RwceOxW15xg	text/plain
-1232039472.446194	CXWv6p3arKYeMETxOg	237.244.174.255	1905	79.218.110.244	80	2	GET	ads1.msn.com	/library/dap.js	http://zone.msn.com/en/root/default.htm	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)	0	13249	200	OK	-	-	-	(empty)	-	-	-	-	-	FDWU85N0DpedJPh93	text/plain
-#close	2016-01-15-18-41-05
+#open	2016-06-15-05-41-51
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1232039472.314927	CXWv6p3arKYeMETxOg	237.244.174.255	1905	79.218.110.244	80	1	GET	ads1.msn.com	/library/dap.js	http://zone.msn.com/en/root/default.htm	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)	0	13249	200	OK	-	-	(empty)	-	-	-	-	-	-	FBcNS3RwceOxW15xg	-	text/plain
+1232039472.446194	CXWv6p3arKYeMETxOg	237.244.174.255	1905	79.218.110.244	80	2	GET	ads1.msn.com	/library/dap.js	http://zone.msn.com/en/root/default.htm	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)	0	13249	200	OK	-	-	(empty)	-	-	-	-	-	-	FDWU85N0DpedJPh93	-	text/plain
+#close	2016-06-15-05-41-51
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log
index db69de700e..4fd0ad0cfe 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-41-06
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1369159408.455878	CXWv6p3arKYeMETxOg	141.142.228.5	57262	54.243.88.146	80	1	POST	httpbin.org	/post	-	1.1	curl/7.30.0	370	465	200	OK	-	-	-	(empty)	-	-	-	F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg	-	FjeopJ2lRk9U1CNNb5	text/json
-#close	2016-01-15-18-41-06
+#open	2016-06-15-05-42-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1369159408.455878	CXWv6p3arKYeMETxOg	141.142.228.5	57262	54.243.88.146	80	1	POST	httpbin.org	/post	-	1.1	curl/7.30.0	370	465	200	OK	-	-	(empty)	-	-	-	F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg	-	-	FjeopJ2lRk9U1CNNb5	-	text/json
+#close	2016-06-15-05-42-00
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log
index bdcd4aae19..d55baca4a8 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-20-42-50
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1362692526.939527	CXWv6p3arKYeMETxOg	141.142.228.5	59856	192.150.187.43	80	1	GET	bro.org	(empty)	-	1.1	-	0	4705	200	OK	-	-	-	(empty)	-	-	-	-	-	FakNcS1Jfe01uljb3	text/plain
-#close	2016-01-15-20-42-50
+#open	2016-06-15-05-42-09
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1362692526.939527	CXWv6p3arKYeMETxOg	141.142.228.5	59856	192.150.187.43	80	1	GET	bro.org	(empty)	-	1.1	-	0	4705	200	OK	-	-	(empty)	-	-	-	-	-	-	FakNcS1Jfe01uljb3	-	text/plain
+#close	2016-06-15-05-42-09
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log b/testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log
index a1ab36435b..9d2f190a72 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-20-44-15
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1036020209.801685	CXWv6p3arKYeMETxOg	131.243.1.23	1035	131.243.1.10	80	1	GET	-	/cgi-bin/formmail.pl?email=f2@aol.com&subject=www-nrg.ee/cgi-bin/formmail.pl&recipient=unknownz@buy2save.com&msg=w00t	-	-	-	0	0	-	-	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2016-01-15-20-44-15
+#open	2016-06-15-05-42-25
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1036020209.801685	CXWv6p3arKYeMETxOg	131.243.1.23	1035	131.243.1.10	80	1	GET	-	/cgi-bin/formmail.pl?email=f2@aol.com&subject=www-nrg.ee/cgi-bin/formmail.pl&recipient=unknownz@buy2save.com&msg=w00t	-	-	-	0	0	-	-	-	-	(empty)	-	-	-	-	-	-	-	-	-
+#close	2016-06-15-05-42-25
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.capabilities/.stdout b/testing/btest/Baseline/scripts.base.protocols.imap.capabilities/.stdout
new file mode 100644
index 0000000000..bf69e13682
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.capabilities/.stdout
@@ -0,0 +1 @@
+[IMAP4rev1, CHILDREN, ENABLE, ID, IDLE, LIST-EXTENDED, LIST-STATUS, LITERAL+, MOVE, NAMESPACE, SASL-IR, SORT, SPECIAL-USE, THREAD=ORDEREDSUBJECT, UIDPLUS, UNSELECT, WITHIN, STARTTLS, AUTH=LOGIN, AUTH=PLAIN]
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/.stdout b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/.stdout
new file mode 100644
index 0000000000..5fbafd3ab3
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/.stdout
@@ -0,0 +1 @@
+Tls started for connection
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
new file mode 100644
index 0000000000..0ae19c2fda
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2015-07-22-17-31-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1437584567.812552	CXWv6p3arKYeMETxOg	192.168.17.53	49640	212.227.17.186	143	tcp	ssl,imap	2.827002	540	5653	SF	-	-	0	ShAdDafFr	18	1284	14	6225	(empty)
+#close	2015-07-22-17-31-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/ssl.log
new file mode 100644
index 0000000000..aefbf3d41e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-07-22-17-31-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1437584568.570497	CXWv6p3arKYeMETxOg	192.168.17.53	49640	212.227.17.186	143	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	FOWmhO3rUj3SEB5RTb,FjH9n52SzEIJ9UoVK9,FisDHa396LIaZadgG9	(empty)	CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	-	-
+#close	2015-07-22-17-31-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/x509.log b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/x509.log
new file mode 100644
index 0000000000..6d1be68725
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/x509.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2015-07-22-17-31-02
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1437584568.769690	FOWmhO3rUj3SEB5RTb	3	339D9ED8E73927C9	CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	1384251451.000000	1479427199.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	imap.gmx.net,imap.gmx.de	-	-	-	F	-
+1437584568.769690	FjH9n52SzEIJ9UoVK9	3	21B6777E8CBD0EA8	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	1362146309.000000	1562716740.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1437584568.769690	FisDHa396LIaZadgG9	3	26	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	931522260.000000	1562716740.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	5
+#close	2015-07-22-17-31-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.events/.stdout b/testing/btest/Baseline/scripts.base.protocols.irc.events/.stdout
new file mode 100644
index 0000000000..bc5df852c2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.events/.stdout
@@ -0,0 +1,20 @@
+thenagualII!~affreujoj@THENAGUAL.users.undernet.org -> #easymovies: \x02TDCC Server Online\x02 Desc:\xc2\xabjet li fong sai yuk 2 vostfr\xc2\xbb Trigger:\xc2\xabtrigger1\xc2\xbb Size:\xc2\xab699MB\xc2\xbb Sends:\xc2\xab0/2\xc2\xbb Queues:\xc2\xab0/10\xc2\xbb Record CPS:\xc2\xab0 cps by n/a\xc2\xbb Downloads:\xc2\xab0\xc2\xbb \x0f\x97I-n-v-i-s-i-o-n\x97
+thenagualII!~affreujoj@THENAGUAL.users.undernet.org -> #easymovies: \x02TDCC Server Online\x02 Desc:\xc2\xabarturo.brachetti.l.homme.aux.mille.songes.avi\xc2\xbb Trigger:\xc2\xabtriggerII\xc2\xbb Size:\xc2\xab698MB\xc2\xbb Sends:\xc2\xab0/2\xc2\xbb Queues:\xc2\xab0/10\xc2\xbb Record CPS:\xc2\xab0 cps by n/a\xc2\xbb Downloads:\xc2\xab0\xc2\xbb \x0f\x97I-n-v-i-s-i-o-n\x97
+thenagualII!~affreujoj@THENAGUAL.users.undernet.org -> #easymovies: \x02TDCC Server Online\x02 Desc:\xc2\xabnational geographic les hackers.avi\xc2\xbb Trigger:\xc2\xab!tdcc-3\xc2\xbb Size:\xc2\xab693MB\xc2\xbb Sends:\xc2\xab0/2\xc2\xbb Queues:\xc2\xab0/10\xc2\xbb Record CPS:\xc2\xab0 cps by n/a\xc2\xbb Downloads:\xc2\xab0\xc2\xbb \x0f\x97I-n-v-i-s-i-o-n\x97
+i-am-mojo!~morgana1@mojojo.users.undernet.org -> #easymovies: \x0308,01 Movies and music updated on the weekends........ \x0304,01Type:\x0308,01 @i-am-mojo \x0304,01For My List Of:\x0308,01 5,307 \x0304,01Files \x0302,01~ \x0304,01Slots:\x0308,01 3/4 \x0302,01~ \x0304,01Queued:\x0308,01 0 \x0302,01~ \x0304,01Speed:\x0308,01 26,007cps \x0302,01~ \x0304,01Next: \x0308,01NOW \x0302,01~ \x0304,01Served:\x0308,01 1,403 \x0302,01~ \x0304,01List: \x0308,01Jul 17th \x0302,01~ \x0304,01Search: \x0308,01ON \x0302,01~ \x0304,01Mode: \x0308,01Normal \x0302,01~
+i-am-mojo!~morgana1@mojojo.users.undernet.org -> #easymovies: SLOTS 4 3 NOW 0 999 64627 5307 341063215095 0 1310935138 105421 OmeNServE v2.51\x01
+ladyvampress!~who_cares@ladyvampress.users.undernet.org -> #easymovies: \x0313,01 \x0313,1Movies and Assorted TV shows \x0315,01Type:\x0313,01 @ladyvampress \x0315,01For My List Of:\x0313,01 3,311 \x0315,01Files \x0314,01- \x0315,01Slots:\x0313,01 0/2 \x0314,01- \x0315,01Queued:\x0313,01 8 \x0314,01- \x0315,01Speed:\x0313,01 79,921cps \x0314,01- \x0315,01Next: \x0313,0192m \x0314,01- \x0315,01Served:\x0313,01 6,990 \x0314,01- \x0315,01List: \x0313,01Jul 7th \x0314,01- \x0315,01Search: \x0313,01ON \x0314,01- \x0315,01Mode: \x0313,01Normal \x0314,01-
+ -> thenagualII: trigger1
+ladyvampress!~who_cares@ladyvampress.users.undernet.org -> #easymovies: SLOTS 2 0 92m 8 999 79921 3311 2111443703336 0 1310040328 107209 OmeNServE v2.52\x01
+zEmm!ExUser@zem122.users.undernet.org -> #easymovies: \x0308\xab\xab \x0307Server\x0308 \xbb\xbb \x0304Trigger\x0308~[\x0307/ctcp zEmm !!bizzniches!!\x0308]~ \x0304Used\x0308~[\x03070 cps\x0308]~ \x0304Next.Send\x0308~[\x0307Open\x0308]~ \x0304Stole\x0308~[\x0307142.93Gb in 143 files\x0308]~ \x0304Record\x0308~[\x0307174.2Kb/s by Pontius\x0308]~ \x0304Sends\x0308~[\x03070/2\x0308]~ \x0304Queues\x0308~[\x03070/10\x0308]~ \x0304Entered\x0308~[\x0307565 times\x0308]~ \x0304Note\x0308~[\x0307get the new...\x0308]~ \x0308\x02\xab\x02 \x0304\xcb\xd7\xc7\x0308\xfc\x0304\xae\xa7\xee\xf6\xf1 \x0308\x02\xbb\x02
+thenagualII!~affreujoj@THENAGUAL.users.undernet.org -> #easymovies: \x0304,00DVD DIVX ASS APPZ DOCU PHOTOS\x0314,00\x95 \x0301,00Type:\x0304,00 @thenagualII \x0301,00For My List Of:\x0304,00 69,157 \x0301,00Files \x0314,00\x95 \x0301,00Slots:\x0304,00 15/15 \x0314,00\x95 \x0301,00Queued:\x0304,00 0 \x0314,00\x95 \x0301,00Speed:\x0304,00 0cps \x0314,00\x95 \x0301,00Next: \x0304,00NOW \x0314,00\x95 \x0301,00Served:\x0304,00 853 \x0314,00\x95 \x0301,00List: \x0304,00Jul 19th \x0314,00\x95 \x0301,00Search: \x0304,00OFF \x0314,00\x95 \x0301,00Mode: \x0304,00Normal \x0314,00\x95
+ -> ladyvampress: list
+ -> #easymovies: @ladyvampress
+gordon1`^!~allu0002@gordon2411.users.undernet.org -> #easymovies: \x0308\x02File Server Online\x02 \x0303Triggers:\xab\x0308\x0308/ctcp gordon1`^ /ctcp gordon1`^ /CTCP gordon1`^ Movies Galore\x0303\xbb Sends:\xab\x03081/30\x0303\xbb Queues:\xab\x03080/30\x0303\xbb Accessed:\xab\x03082556 times\x0303\xbb Online:\xab\x03080/4\x0303\xbb RCPS:\xab\x0308193.8 Kbs by MadDingo\x0303\xbb Served:\xab\x03081.14TB in 1118 files\x0303\xbb Current BW:\xab\x030818.7 Kbs\x0303\xbb AQT:\xab\x0308No Wait\x0303\xbb \x0f\x0303\x97\x0314I\x0303-\x0315n\x0303-\x0315v\x0303-\x0300i\x0303-\x0300s\x0303-\x0315i\x0303-\x0315o\x0303-\x0314n\x0303\x97\x0f
+quit:  ()
+ -> #brotest: test
+quit:  (quitting)
+quit: brotest (Client Quit)
+ -> #BROTEST: test
+quit:  (quitting)
+quit: brotest (Client Quit)
diff --git a/testing/btest/Baseline/scripts.base.protocols.rfb.rfb-apple-remote-desktop/rfb.log b/testing/btest/Baseline/scripts.base.protocols.rfb.rfb-apple-remote-desktop/rfb.log
new file mode 100644
index 0000000000..6f8a2e987d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.rfb.rfb-apple-remote-desktop/rfb.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	rfb
+#open	2016-04-11-08-25-48
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	client_major_version	client_minor_version	server_major_version	server_minor_version	authentication_method	auth	share_flag	desktop_name	width	height
+#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	bool	string	count	count
+1459148054.031382	CCvvfg3TEfuqmmG4bh	192.168.2.115	52353	192.168.2.16	5900	003	889	003	889	Apple Remote Desktop	T	T	\x00\x00\x00\x00\x00\x02\xbf\xfe\xe7\x03\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00MacMini SSD	1920	1080
+1459148050.685932	CjhGID4nQcgTWjvg4c	192.168.2.115	52352	192.168.2.16	5900	003	889	003	889	Apple Remote Desktop	F	-	-	-	-
+1459148047.738043	CXWv6p3arKYeMETxOg	192.168.2.115	52351	192.168.2.16	5900	003	889	003	889	-	-	-	-	-	-
+#close	2016-04-11-08-25-48
diff --git a/testing/btest/Baseline/scripts.base.protocols.rfb.vnc-mac-to-linux/rfb.log b/testing/btest/Baseline/scripts.base.protocols.rfb.vnc-mac-to-linux/rfb.log
new file mode 100644
index 0000000000..de1d70ec63
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.rfb.vnc-mac-to-linux/rfb.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	rfb
+#open	2016-04-06-13-48-56
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	client_major_version	client_minor_version	server_major_version	server_minor_version	authentication_method	auth	share_flag	desktop_name	width	height
+#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	bool	string	count	count
+1459093553.334734	CsRx2w45OKnoww6xl4	192.168.2.115	49259	192.168.2.125	5901	003	003	003	008	VNC	T	T	root's X desktop (martin-VirtualBox:1)	1024	768
+1459093548.745805	CjhGID4nQcgTWjvg4c	192.168.2.115	49256	192.168.2.125	5901	003	003	003	008	VNC	-	-	-	-	-
+1459093551.559391	CCvvfg3TEfuqmmG4bh	192.168.2.115	49257	192.168.2.125	5901	003	003	003	008	VNC	F	-	-	-	-
+#close	2016-04-06-13-48-56
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log
new file mode 100644
index 0000000000..674c0c0e3e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log
@@ -0,0 +1,34 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2016-03-08-15-45-10
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1324071333.493287	CXWv6p3arKYeMETxOg	192.168.1.79	51880	131.159.21.1	22	tcp	ssh	6.159326	2669	2501	SF	-	-	0	ShAdDaFf	25	3981	20	3549	(empty)
+1409516196.337184	CjhGID4nQcgTWjvg4c	10.0.0.18	40184	128.2.6.88	41644	tcp	ssh	2.079071	3813	3633	SF	-	-	0	ShADadFf	22	4965	26	5017	(empty)
+1419870189.485611	CCvvfg3TEfuqmmG4bh	192.168.2.1	57189	192.168.2.158	22	tcp	ssh	6.641754	5253	3489	SF	-	-	0	ShADadFf	38	7241	29	5005	(empty)
+1419870206.101883	CsRx2w45OKnoww6xl4	192.168.2.1	57191	192.168.2.158	22	tcp	ssh	3.862198	576	813	SF	-	-	0	ShAdDaFf	23	1784	16	1653	(empty)
+1419996264.318569	CRJuHdVW0XPVINV8a	192.168.2.1	55179	192.168.2.158	2200	tcp	ssh	2.557930	2757	1721	RSTR	-	-	0	ShADadFr	37	4693	29	3225	(empty)
+1420588548.721272	CPbrpk1qSsw6ESzHV4	192.168.2.1	56594	192.168.2.158	22	tcp	ssh	8.841749	480	537	SF	-	-	0	ShAdDaFf	17	1376	14	1273	(empty)
+1420590124.879760	C6pKV8GSxOnSLghOa	192.168.2.1	56821	192.168.2.158	22	tcp	ssh	1.106250	820	1125	SF	-	-	0	ShAdDaFf	26	2184	20	2173	(empty)
+1420590308.775525	CIPOse170MGiRM1Qf4	192.168.2.1	56837	192.168.2.158	22	tcp	ssh	1.080767	692	997	SF	-	-	0	ShAdDaFf	25	2004	19	1993	(empty)
+1420590322.673363	C7XEbhP654jzLoe3a	192.168.2.1	56845	192.168.2.158	22	tcp	ssh	1.302395	660	965	SF	-	-	0	ShAdDaFf	26	2024	20	2013	(empty)
+1420590636.473213	CJ3xTn1c4Zw9TmAE05	192.168.2.1	56875	192.168.2.158	22	tcp	ssh	12.013506	588	549	SF	-	-	0	ShAdDaFf	19	1588	16	1389	(empty)
+1420590659.422161	CMXxB5GvmoxJFXdTa	192.168.2.1	56878	192.168.2.158	22	tcp	ssh	3.628964	684	825	SF	-	-	0	ShAdDaFf	25	1996	19	1821	(empty)
+1420591379.650462	Caby8b1slFea8xwSmb	192.168.2.1	56940	192.168.2.158	22	tcp	ssh	0.104978	500	609	SF	-	-	0	ShAdDaFf	14	1240	10	1137	(empty)
+1420599430.822385	Che1bq3i2rO3KD1Syg	192.168.2.1	57831	192.168.2.158	22	tcp	ssh	2.758790	576	813	SF	-	-	0	ShAdDaFf	23	1784	18	1757	(empty)
+1420851448.309629	C3SfNE4BWaU4aSuwkc	192.168.2.1	59246	192.168.2.158	22	tcp	ssh	3.076752	3049	4165	SF	-	-	0	ShADadFf	32	4725	23	5369	(empty)
+1420860283.029061	CEle3f3zno26fFZkrh	192.168.1.32	41164	128.2.10.238	22	tcp	ssh	8.485357	6087	3015	SF	-	-	0	ShADadFf	32	7759	33	4763	(empty)
+1420860616.400297	CwSkQu4eWZCH7OONC1	192.168.1.32	33910	128.2.13.133	22	tcp	ssh	1.910959	6471	6037	SF	-	-	0	ShADadFf	33	8195	29	7565	(empty)
+1420868281.639103	CfTOmO0HKorjr8Zp7	192.168.1.32	41268	128.2.10.238	22	tcp	ssh	2.710778	5613	2487	SF	-	-	0	ShADadFf	24	6869	20	3535	(empty)
+1420917487.220407	Cab0vO1xNYSS2hJkle	192.168.1.31	52294	192.168.1.32	22	tcp	ssh	3.658968	3729	2229	SF	-	-	0	ShADadFf	36	5613	24	3497	(empty)
+1420917487.213378	CzA03V1VcgagLjnO92	192.168.1.31	57621	192.168.1.255	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	(empty)
+1420917487.213468	CyAhVIzHqb7t7kv28	192.168.1.32	57621	192.168.1.31	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	(empty)
+1421006072.431795	Cx3C534wEyF3OvvcQe	192.168.1.31	51476	192.168.1.32	8118	tcp	-	0.000539	76	0	SF	-	-	0	DaFfA	6	388	5	284	(empty)
+1421006072.001012	Cx2FqO23omNawSNrxj	192.168.1.31	51489	192.168.1.32	22	tcp	ssh	4.926958	4029	2497	SF	-	-	0	ShAdDaFf	42	6249	27	3937	(empty)
+1421041176.944687	CkDsfG2YIeWJmXWNWj	192.168.1.32	58641	131.103.20.168	22	tcp	ssh	0.587601	2885	2309	SF	-	-	0	ShADdaFf	16	3725	13	2993	(empty)
+1421041299.738916	CUKS0W3HFYOnBqSE5e	192.168.1.32	58646	131.103.20.168	22	tcp	ssh	2.236727	4477	535101	SF	-	-	0	ShADadFf	179	13793	226	546861	(empty)
+1421041526.312919	CRrfvP2lalMAYOCLhj	192.168.1.32	58649	131.103.20.168	22	tcp	ssh	2.066433	4477	534861	SF	-	-	0	ShADadFf	183	14001	236	547141	(empty)
+#close	2016-03-08-15-45-10
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.cve-2015-3194/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.cve-2015-3194/ssl.log
new file mode 100644
index 0000000000..d01b484a71
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.cve-2015-3194/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2016-01-19-22-45-44
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
+1449265638.475275	CXWv6p3arKYeMETxOg	192.168.6.74	52122	104.236.167.107	4433	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	Fvv5qY2DMGQY2MYQ03	(empty)	CN=bro.org,L=Berkeley,ST=CA,C=US	CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US	-	-	certificate signature failure
+#close	2016-01-19-22-45-44
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/dpd.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/dpd.log
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/ssl.log
new file mode 100644
index 0000000000..0328a5e982
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2016-05-17-23-36-28
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1463527314.688817	CXWv6p3arKYeMETxOg	192.168.6.82	51462	74.201.205.9	43044	DTLSv10	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	Fk1e6E3pbe7faF41T5	FjQcYL1EtJ5VueihC7	CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US	CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US	CN=a	CN=a
+#close	2016-05-17-23-36-28
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.client-dpd/ssl.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.client-dpd/ssl.log
new file mode 100644
index 0000000000..0ce11b2e6f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.client-dpd/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-07-21-20-08-11
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1437091702.232293	CXWv6p3arKYeMETxOg	198.128.203.95	56048	146.255.57.229	5222	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	F5Nz2G1vSZQ0QXM2s8,FUw8omi2keRxShDUa	(empty)	CN=jabber.ccc.de,O=Chaos Computer Club e.V.,L=Hamburg,ST=Hamburg,C=DE	emailAddress=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA	-	-
+#close	2015-07-21-20-08-11
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.server-dialback-dpd/ssl.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.server-dialback-dpd/ssl.log
new file mode 100644
index 0000000000..15641ba5b0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.server-dialback-dpd/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-07-21-20-18-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1437506779.381295	CXWv6p3arKYeMETxOg	184.73.173.246	1193	104.236.167.107	5269	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp384r1	-	F	-	-	T	FLFr7Z1TXmFDv9FwC2,FydVem3ToAkEIAHD29,FK07OA1VxtQi69Irde	F3D2e62Vxl7iTnwbA4,FUCD5w4ABMG5N0YvSi,FxWUEd3mgvThYO2uod,FGOrVE2laVCPsCLMF6	CN=www.0xxon.net,OU=Free SSL,OU=Domain Control Validated	CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	CN=*.hosted.im,OU=Domain Control Validated	CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US
+#close	2015-07-21-20-18-36
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
new file mode 100644
index 0000000000..2f5bd2f66d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2015-07-21-18-55-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1437091701.732171	CXWv6p3arKYeMETxOg	198.128.203.95	56048	146.255.57.229	5222	tcp	ssl,xmpp	2.213218	676	4678	SF	-	-	0	ShADadfFr	19	1676	15	5442	(empty)
+#close	2015-07-21-18-55-16
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/ssl.log
new file mode 100644
index 0000000000..f67ea92631
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-07-21-18-55-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1437091702.232293	CXWv6p3arKYeMETxOg	198.128.203.95	56048	146.255.57.229	5222	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	F5Nz2G1vSZQ0QXM2s8,FUw8omi2keRxShDUa	(empty)	CN=jabber.ccc.de,O=Chaos Computer Club e.V.,L=Hamburg,ST=Hamburg,C=DE	emailAddress=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA	-	-
+#close	2015-07-21-18-55-16
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/x509.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/x509.log
new file mode 100644
index 0000000000..4a49298e8a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/x509.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2015-07-21-18-55-16
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1437091702.407347	F5Nz2G1vSZQ0QXM2s8	3	0DF4F2	CN=jabber.ccc.de,O=Chaos Computer Club e.V.,L=Hamburg,ST=Hamburg,C=DE	emailAddress=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA	1382043019.000000	1445115019.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	jabber.ccc.de,conference.jabber.ccc.de,jabberd.jabber.ccc.de,pubsub.jabber.ccc.de,vjud.jabber.ccc.de	-	-	-	F	-
+1437091702.407347	FUw8omi2keRxShDUa	3	00	emailAddress=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA	emailAddress=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA	1049027389.000000	1995712189.000000	rsaEncryption	md5WithRSAEncryption	rsa	4096	65537	-	-	-	-	-	T	-
+#close	2015-07-21-18-55-16
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
index ba1afe4239..0cac337cf3 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
@@ -3,20 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2015-03-14-01-47-46
+#open	2016-04-25-23-53-37
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
 #types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
 1416942644.593119	CXWv6p3arKYeMETxOg	192.168.4.149	49422	23.92.19.75	443	F0txuw2pvrkZOn04a8	application/pkix-cert	23.92.19.75:443/tcp	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	source1
-#close	2015-03-14-01-47-46
+#close	2016-04-25-23-53-37
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2015-03-14-01-47-46
+#open	2016-04-25-23-53-38
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
 #types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
-1170717505.934612	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
-1170717509.082241	CjhGID4nQcgTWjvg4c	192.150.187.164	58869	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
-1170717512.108799	CCvvfg3TEfuqmmG4bh	192.150.187.164	58870	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
-#close	2015-03-14-01-47-46
+1170717505.735416	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	FeCwNK3rzqPnZ7eBQ5	application/pkix-cert	194.127.84.106:443/tcp	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	source1
+1170717505.934612	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	FeCwNK3rzqPnZ7eBQ5	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
+1170717508.883051	CjhGID4nQcgTWjvg4c	192.150.187.164	58869	194.127.84.106	443	FjkLnG4s34DVZlaBNc	application/pkix-cert	194.127.84.106:443/tcp	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	source1
+1170717509.082241	CjhGID4nQcgTWjvg4c	192.150.187.164	58869	194.127.84.106	443	FjkLnG4s34DVZlaBNc	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
+1170717511.909717	CCvvfg3TEfuqmmG4bh	192.150.187.164	58870	194.127.84.106	443	FQXAWgI2FB5STbrff	application/pkix-cert	194.127.84.106:443/tcp	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	source1
+1170717512.108799	CCvvfg3TEfuqmmG4bh	192.150.187.164	58870	194.127.84.106	443	FQXAWgI2FB5STbrff	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
+#close	2016-04-25-23-53-38
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
index 88a6f7b447..6b80273111 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@@ -1,11 +1,12 @@
          0.000000 bro_init
          0.000000 filter_change_tracking
-1254722767.492060 protocol_confirmation
+         0.000000 NetControl::init
 1254722767.492060 ChecksumOffloading::check
 1254722767.492060 filter_change_tracking
 1254722767.492060 new_connection
 1254722767.492060 dns_message
 1254722767.492060 dns_request
+1254722767.492060 protocol_confirmation
 1254722767.492060 dns_end
 1254722767.526085 dns_message
 1254722767.526085 dns_CNAME_reply
@@ -154,13 +155,13 @@
 1437831799.262632 new_connection
 1437831799.461152 new_connection
 1437831799.610433 connection_established
-1437831799.611764 protocol_confirmation
 1437831799.611764 ssl_extension_server_name
 1437831799.611764 ssl_extension
 1437831799.611764 ssl_extension
 1437831799.611764 ssl_extension
 1437831799.611764 ssl_extension
 1437831799.611764 ssl_extension
+1437831799.611764 protocol_confirmation
 1437831799.611764 ssl_client_hello
 1437831799.611764 ssl_handshake_message
 1437831799.764576 ssl_extension
@@ -182,7 +183,6 @@
 1437831799.764576 x509_extension
 1437831799.764576 x509_ext_subject_alternative_name
 1437831799.764576 file_hash
-1437831799.764576 file_hash
 1437831799.764576 file_state_remove
 1437831799.764576 file_new
 1437831799.764576 file_over_new_connection
@@ -197,7 +197,6 @@
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 file_hash
-1437831799.764576 file_hash
 1437831799.764576 file_state_remove
 1437831799.764576 ssl_handshake_message
 1437831799.764576 ssl_handshake_message
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 47e2067a1e..0e76b7faf4 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -1,62 +1,63 @@
          0.000000 bro_init
          0.000000 filter_change_tracking
-1254722767.492060 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] atype: enum        = Analyzer::ANALYZER_DNS
-                  [2] aid: count         = 3
-
+         0.000000 NetControl::init
 1254722767.492060 ChecksumOffloading::check
 1254722767.492060 filter_change_tracking
 1254722767.492060 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722767.492060 dns_message
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
                   [3] len: count         = 34
 
 1254722767.492060 dns_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
                   [2] query: string      = mail.patriots.in
                   [3] qtype: count       = 1
                   [4] qclass: count      = 1
 
+1254722767.492060 protocol_confirmation
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] atype: enum        = Analyzer::ANALYZER_DNS
+                  [2] aid: count         = 3
+
 1254722767.492060 dns_end
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
 
 1254722767.526085 dns_message
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [3] len: count         = 100
 
 1254722767.526085 dns_CNAME_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [2] ans: dns_answer    = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs]
                   [3] name: string       = patriots.in
 
 1254722767.526085 dns_A_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [2] ans: dns_answer    = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs]
                   [3] a: addr            = 74.53.140.153
 
 1254722767.526085 dns_end
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
 
 1254722767.529046 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.0, service={\x0a\x0a}, history=, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.0, service={\x0a\x0a}, history=, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722767.875996 connection_established
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.34695, service={\x0a\x0a}, history=Sh, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.34695, service={\x0a\x0a}, history=Sh, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -64,7 +65,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -72,7 +73,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -80,18 +81,18 @@
                   [5] cont_resp: bool    = F
 
 1254722768.224809 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={\x0a\x0a}, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0a\x0a}, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 7
 
 1254722768.224809 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -99,7 +100,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -107,7 +108,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -115,7 +116,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -123,7 +124,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -131,7 +132,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -139,13 +140,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -153,13 +154,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -167,13 +168,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -181,13 +182,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
 
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -195,13 +196,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -209,16 +210,16 @@
                   [5] cont_resp: bool    = F
 
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1254722770.320203 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -226,243 +227,243 @@
                   [5] cont_resp: bool    = F
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=FROM, value="Gurpartap Singh" <gurpartap@patriots.in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=TO, value=<raj_deol2002in@yahoo.co.in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=SUBJECT, value=SMTP]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=DATE, value=Mon, 5 Oct 2009 11:36:07 +0530]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MESSAGE-ID, value=<000301ca4581$ef9e57f0$cedb07d0$@in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MIME-VERSION, value=1.0]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/mixed;\x09boundary="----=_NextPart_000_0004_01CA45B0.095693F0"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-MAILER, value=Microsoft Office Outlook 12.0]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=THREAD-INDEX, value=AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-LANGUAGE, value=en-us]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-CR-HASHEDPUZZLE, value=SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-CR-PUZZLEID, value={CAA37F59-1850-45C7-8540-AA27696B5398}]
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/alternative;\x09boundary="----=_NextPart_001_0005_01CA45B0.095693F0"]
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;\x09charset="us-ascii"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=7bit]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_sniff
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aCjhGID4nQcgTWjvg4c\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aCjhGID4nQcgTWjvg4c\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
 
 1254722770.692743 file_state_remove
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aCjhGID4nQcgTWjvg4c\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aCjhGID4nQcgTWjvg4c\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/html;\x09charset="us-ascii"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_sniff
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aCjhGID4nQcgTWjvg4c\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aCjhGID4nQcgTWjvg4c\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]]]
 
 1254722770.692804 file_state_remove
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aCjhGID4nQcgTWjvg4c\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aCjhGID4nQcgTWjvg4c\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;\x09name="NEWS.txt"]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-DISPOSITION, value=attachment;\x09filename="NEWS.txt"]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_new
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692804 file_over_new_connection
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.695115 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={\x0a\x0a}, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=1254722770.695115, duration=0.0, service={\x0a\x0a}, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.494181 file_sniff
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aCjhGID4nQcgTWjvg4c\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aCjhGID4nQcgTWjvg4c\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
 
 1254722771.858334 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 file_state_remove
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aCjhGID4nQcgTWjvg4c\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aCjhGID4nQcgTWjvg4c\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -470,13 +471,13 @@
                   [5] cont_resp: bool    = F
 
 1254722774.763825 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = QUIT
                   [3] arg: string        = 
 
 1254722775.105467 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 221
                   [3] cmd: string        = QUIT
@@ -484,33 +485,33 @@
                   [5] cont_resp: bool    = F
 
 1254722776.690444 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={\x0a\x0a}, history=, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=1254722776.690444, duration=0.0, service={\x0a\x0a}, history=, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 ChecksumOffloading::check
 1437831776.764391 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0], start_time=1254722767.529046, duration=7.576953, service={\x0aSMTP\x0a}, history=ShAdDaFf, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576953, service={\x0aSMTP\x0a}, history=ShAdDaFf, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.001519, service={\x0a\x0a}, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=1254722770.695115, duration=0.001519, service={\x0a\x0a}, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={\x0a\x0a}, history=D, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=1254722776.690444, duration=0.0, service={\x0a\x0a}, history=D, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 filter_change_tracking
 1437831776.764391 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1437831776.764391, duration=0.0, service={\x0a\x0a}, history=, uid=CRJuHdVW0XPVINV8a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.0, service={\x0a\x0a}, history=, uid=CRJuHdVW0XPVINV8a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.856895 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1437831787.856895, duration=0.0, service={\x0a\x0a}, history=, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.0, service={\x0a\x0a}, history=, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.861602 connection_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1437831787.856895, duration=0.004707, service={\x0a\x0a}, history=Sh, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.004707, service={\x0a\x0a}, history=Sh, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.867142 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -518,18 +519,18 @@
                   [5] cont_resp: bool    = F
 
 1437831787.883306 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0], start_time=1437831787.856895, duration=0.026411, service={\x0a\x0a}, history=ShAdD, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0a\x0a}, history=ShAdD, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 21
 
 1437831787.883306 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = [192.168.133.100]
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -537,7 +538,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -545,7 +546,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -553,7 +554,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -561,13 +562,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.887031 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM:<albert@example.com>
 
 1437831787.889785 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -575,13 +576,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.890232 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<ericlim220@yahoo.com>
 
 1437831787.892986 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -589,13 +590,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.893587 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<felica4uu@hotmail.com>
 
 1437831787.897624 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -603,13 +604,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.898413 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<davis_mark1@outlook.com>
 
 1437831787.901069 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -617,16 +618,16 @@
                   [5] cont_resp: bool    = F
 
 1437831787.901697 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1437831787.901697 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.904758 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -634,104 +635,104 @@
                   [5] cont_resp: bool    = F
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain; charset=us-ascii]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MIME-VERSION, value=1.0 (Mac OS X Mail 8.2 \(2102\))]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=SUBJECT, value=Re: Bro SMTP CC Header]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=FROM, value=Albert Zaharovits <albert@example.com>]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=IN-REPLY-TO, value=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=DATE, value=Sat, 25 Jul 2015 16:43:07 +0300]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CC, value=felica4uu@hotmail.com, davis_mark1@outlook.com]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=7bit]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MESSAGE-ID, value=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=REFERENCES, value=<FA60128E-63CF-4C4E-8241-C5805EA0F66E@example.com> <9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=TO, value=ericlim220@yahoo.com]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-MAILER, value=Apple Mail (2.2102)]
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1437831787.905375 file_new
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831787.905375 file_over_new_connection
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1437831787.905375 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1437831787.905375 file_sniff
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCPbrpk1qSsw6ESzHV4\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCPbrpk1qSsw6ESzHV4\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
 
 1437831787.905375 file_state_remove
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCPbrpk1qSsw6ESzHV4\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCPbrpk1qSsw6ESzHV4\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831787.905375 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1437831787.914113 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -739,59 +740,59 @@
                   [5] cont_resp: bool    = F
 
 1437831798.533593 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=, uid=C6pKV8GSxOnSLghOa, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=, uid=C6pKV8GSxOnSLghOa, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.262632 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1437831799.262632, duration=0.0, service={\x0a\x0a}, history=, uid=CIPOse170MGiRM1Qf4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.0, service={\x0a\x0a}, history=, uid=CIPOse170MGiRM1Qf4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.461152 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1437831799.461152, duration=0.0, service={\x0a\x0a}, history=, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.0, service={\x0a\x0a}, history=, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.610433 connection_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1437831799.461152, duration=0.149281, service={\x0a\x0a}, history=Sh, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-
-1437831799.611764 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] atype: enum        = Analyzer::ANALYZER_SSL
-                  [2] aid: count         = 35
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.149281, service={\x0a\x0a}, history=Sh, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.611764 ssl_extension_server_name
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] names: vector of string = [p31-keyvalueservice.icloud.com]
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 0
                   [3] val: string        = \x00!\x00\x00\x1ep31-keyvalueservice.icloud.com
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 10
                   [3] val: string        = \x00\x06\x00\x17\x00\x18\x00\x19
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 11
                   [3] val: string        = \x01\x00
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 13
                   [3] val: string        = \x00\x0a\x05\x01\x04\x01\x02\x01\x04\x03\x02\x03
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 13172
                   [3] val: string        = 
 
+1437831799.611764 protocol_confirmation
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] atype: enum        = Analyzer::ANALYZER_SSL
+                  [2] aid: count         = 35
+
 1437831799.611764 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 771
                   [2] possible_ts: time  = 1437831799.0
                   [3] client_random: string = \xd4\xda\xbe{\xfa\xaa\x16\xb2\xe7\x92\x9d\xbf\xe1c\x97\xde\xdca7\x92\x90\xf6\x967\xf7\xec\x1e\xe6
@@ -799,19 +800,19 @@
                   [5] ciphers: vector of count = [255, 49188, 49187, 49162, 49161, 49160, 49192, 49191, 49172, 49171, 49170, 49190, 49189, 49157, 49156, 49155, 49194, 49193, 49167, 49166, 49165, 107, 103, 57, 51, 22, 61, 60, 53, 47, 10, 49159, 49169, 49154, 49164, 5, 4]
 
 1437831799.611764 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg_type: count    = 1
                   [3] length: count      = 192
 
 1437831799.764576 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 65281
                   [3] val: string        = \x00
 
 1437831799.764576 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 771
                   [2] possible_ts: time  = 1437831799.0
                   [3] server_random: string = \xe2RB\xdds\x11\xa9\xd4\x1d\xbc\x8e\xe2]\x09\xc5\xfc\xb1\xedl\xed\x17\xb2?a\xac\x81QM
@@ -820,194 +821,184 @@
                   [6] comp_method: count = 0
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 2
                   [3] length: count      = 77
 
 1437831799.764576 file_new
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_over_new_connection
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831799.764576 file_sniff
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=<uninitialized>, mime_types=<uninitialized>]
 
 1437831799.764576 x509_certificate
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
 
 1437831799.764576 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]
 
 1437831799.764576 x509_ext_subject_alternative_name
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::SubjectAlternativeName = [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]
 
 1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] kind: string       = sha1
                   [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
 
-1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] kind: string       = md5
-                  [2] hash: string       = 1bf9696d9f337805383427e88781d001
-
 1437831799.764576 file_state_remove
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_new
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_over_new_connection
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831799.764576 file_sniff
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=<uninitialized>, mime_types=<uninitialized>]
 
 1437831799.764576 x509_certificate
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
 
 1437831799.764576 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]
 
 1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] kind: string       = sha1
                   [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
 
-1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] kind: string       = md5
-                  [2] hash: string       = 48f0e38385112eeca5fc9ffd402eaecd
-
 1437831799.764576 file_state_remove
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 11
                   [3] length: count      = 2507
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 14
                   [3] length: count      = 0
 
 1437831799.838196 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg_type: count    = 16
                   [3] length: count      = 258
 
 1437831799.838197 ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
 
 1437831800.045701 ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
 
 1437831800.045701 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 net_done
                   [0] t: time            = 1437831800.217854
 
 1437831800.217854 filter_change_tracking
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.914113, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.914113, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=CIPOse170MGiRM1Qf4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=CIPOse170MGiRM1Qf4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CRJuHdVW0XPVINV8a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CRJuHdVW0XPVINV8a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C7XEbhP654jzLoe3a, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=dA, uid=C6pKV8GSxOnSLghOa, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=dA, uid=C6pKV8GSxOnSLghOa, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 bro_done
 1437831800.217854 ChecksumOffloading::check
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
index 0c6833895b..0432deb2aa 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
@@ -1,5 +1,5 @@
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -7,7 +7,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -15,7 +15,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -23,13 +23,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.224809 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -37,7 +37,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -45,7 +45,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -53,7 +53,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -61,7 +61,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -69,7 +69,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -77,13 +77,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -91,13 +91,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -105,13 +105,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -119,13 +119,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
 
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -133,13 +133,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -147,13 +147,13 @@
                   [5] cont_resp: bool    = F
 
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -161,13 +161,13 @@
                   [5] cont_resp: bool    = F
 
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -175,13 +175,13 @@
                   [5] cont_resp: bool    = F
 
 1254722774.763825 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = QUIT
                   [3] arg: string        = 
 
 1254722775.105467 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 221
                   [3] cmd: string        = QUIT
@@ -189,7 +189,7 @@
                   [5] cont_resp: bool    = F
 
 1437831787.867142 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -197,13 +197,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.883306 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = [192.168.133.100]
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -211,7 +211,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -219,7 +219,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -227,7 +227,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -235,13 +235,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.887031 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM:<albert@example.com>
 
 1437831787.889785 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -249,13 +249,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.890232 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<ericlim220@yahoo.com>
 
 1437831787.892986 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -263,13 +263,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.893587 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<felica4uu@hotmail.com>
 
 1437831787.897624 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -277,13 +277,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.898413 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<davis_mark1@outlook.com>
 
 1437831787.901069 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -291,13 +291,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.901697 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1437831787.904758 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -305,13 +305,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.905375 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1437831787.914113 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log
new file mode 100644
index 0000000000..bc2cccd2c5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log
@@ -0,0 +1,43 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2016-06-01-23-46-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
+1300475169.780331	C7XEbhP654jzLoe3a	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)	00:13:7f:be:8c:ff	00:e0:db:01:cf:4b
+1300475168.859163	CsRx2w45OKnoww6xl4	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.652003	CJ3xTn1c4Zw9TmAE05	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.895267	C6pKV8GSxOnSLghOa	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.902635	CIPOse170MGiRM1Qf4	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.892936	CRJuHdVW0XPVINV8a	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.855305	CCvvfg3TEfuqmmG4bh	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.892913	CPbrpk1qSsw6ESzHV4	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.724007	CXWv6p3arKYeMETxOg	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.855330	CjhGID4nQcgTWjvg4c	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.891644	CMXxB5GvmoxJFXdTa	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475170.862384	Caby8b1slFea8xwSmb	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)	f0:4d:a2:47:ba:25	ff:ff:ff:ff:ff:ff
+1300475168.853899	Che1bq3i2rO3KD1Syg	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.854378	C3SfNE4BWaU4aSuwkc	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.857956	CEle3f3zno26fFZkrh	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475173.117362	CwSkQu4eWZCH7OONC1	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)	f0:4d:a2:47:ba:25	01:00:5e:00:00:fc
+1300475167.097012	CfTOmO0HKorjr8Zp7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)	00:17:f2:d7:cf:65	33:33:00:00:00:fb
+1300475168.858713	CzA03V1VcgagLjnO92	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475171.675372	CyAhVIzHqb7t7kv28	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)	f0:4d:a2:47:ba:25	33:33:00:01:00:03
+1300475167.096535	Cab0vO1xNYSS2hJkle	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)	00:30:48:bd:3e:c4	01:00:5e:00:00:fb
+1300475167.099816	Cx2FqO23omNawSNrxj	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)	00:17:f2:d7:cf:65	01:00:5e:00:00:fb
+1300475168.892037	Cx3C534wEyF3OvvcQe	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.893988	CkDsfG2YIeWJmXWNWj	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.854837	CUKS0W3HFYOnBqSE5e	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475169.899438	CRrfvP2lalMAYOCLhj	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)	00:16:76:23:d9:e3	01:00:5e:00:00:fb
+1300475173.116749	Cn78a440HlxuyZKs6f	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)	f0:4d:a2:47:ba:25	33:33:00:01:00:03
+1300475168.858306	CUof3F2yAIid8QS3dk	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.894422	CojBOU3CXcLHl1r6x1	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475173.153679	CJzVQRGJrX6V15ik7	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)	00:23:32:b6:0c:46	ff:ff:ff:ff:ff:ff
+1300475168.892414	ClAbxY1nmdjCuo0Le2	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475171.677081	CwG0BF1VXE0gWgs78	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)	f0:4d:a2:47:ba:25	01:00:5e:00:00:fc
+1300475168.902195	CisNaL1Cm73CiNOmcg	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.894787	CBQnJn22qN8TOeeZil	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.901749	CbEsuD3dgDDngdlbKf	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+#close	2016-06-01-23-46-06
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log
new file mode 100644
index 0000000000..203353805e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2016-06-01-23-46-07
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
+1439902891.705224	CXWv6p3arKYeMETxOg	172.17.156.76	61738	208.67.220.220	53	udp	-	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	(empty)	90:72:40:97:b6:f5	44:2b:03:aa:ab:8d
+1439903050.580632	CjhGID4nQcgTWjvg4c	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	328	0	0	(empty)	a4:67:06:f7:ec:54	33:33:00:00:00:fb
+#close	2016-06-01-23-46-07
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log
new file mode 100644
index 0000000000..620afe04ee
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log
@@ -0,0 +1,1342 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2016-06-07-00-54-15
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
+826191058.128321	CXWv6p3arKYeMETxOg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191118.129144	CjhGID4nQcgTWjvg4c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191178.297416	CCvvfg3TEfuqmmG4bh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191238.140114	CsRx2w45OKnoww6xl4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191298.137032	CRJuHdVW0XPVINV8a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191358.243247	CPbrpk1qSsw6ESzHV4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191418.144505	C6pKV8GSxOnSLghOa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191478.189218	CIPOse170MGiRM1Qf4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191538.242710	C7XEbhP654jzLoe3a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191598.142982	CJ3xTn1c4Zw9TmAE05	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191658.206258	CMXxB5GvmoxJFXdTa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191718.141676	Caby8b1slFea8xwSmb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191778.139555	Che1bq3i2rO3KD1Syg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191838.160870	C3SfNE4BWaU4aSuwkc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191898.207550	CEle3f3zno26fFZkrh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826191958.161501	CwSkQu4eWZCH7OONC1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192018.156454	CfTOmO0HKorjr8Zp7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192078.143576	CzA03V1VcgagLjnO92	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192138.157070	CyAhVIzHqb7t7kv28	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192198.209621	Cab0vO1xNYSS2hJkle	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192258.213369	Cx2FqO23omNawSNrxj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192318.168316	Cx3C534wEyF3OvvcQe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192378.142768	CkDsfG2YIeWJmXWNWj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192438.145514	CUKS0W3HFYOnBqSE5e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192498.211725	CRrfvP2lalMAYOCLhj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192558.254519	Cn78a440HlxuyZKs6f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192618.151880	CUof3F2yAIid8QS3dk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192678.152689	CojBOU3CXcLHl1r6x1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192738.148612	CJzVQRGJrX6V15ik7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192798.184559	ClAbxY1nmdjCuo0Le2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192858.168774	CwG0BF1VXE0gWgs78	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192918.151045	CisNaL1Cm73CiNOmcg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826192978.149902	CBQnJn22qN8TOeeZil	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193038.200491	CbEsuD3dgDDngdlbKf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193098.159328	Cktvtw2VqwbTG0OgWk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193158.151344	CKfF8L3XSsgT2WYDN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193218.158016	CHrnr1115j0JRSXjG6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193278.162718	Cnkr172qPtDAaK7Xd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193338.440718	CcxZj6188NwHGl3a16	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193398.155563	CUqYZc2XzbfnZKbgT	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193458.258855	CVdnYXVEtNT1lQVL6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193518.163043	CbNmy32YFt3gdIjV8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193578.166776	COTmF91mGWcb4zV7W5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193638.349114	CuChlg202P8sUFuXrg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193698.277702	CZTTFm2GrMAs8leAyl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193758.259000	CV23rC3tBHfPhMUPtf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193818.167095	CkaPGx2P0Y3W5aHVFk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193878.266468	CY93mM3aViMiLKuSw3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193938.404902	CXgISq6dA2DVPzqp9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826193998.202719	CZsZpw11dKq1lfKlZ2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194058.784259	CEUVdwlDjueJrpLM8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194118.356593	CC2xVC1BsV6nQpv5td	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194178.167100	ClJyiY2z7Q7sBqiVzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194238.165957	Czho5e46i7wHP90KYc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194298.195067	COR5A63SA18oL2dIai	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194358.251498	CeuBcl4xzXkMhlzGId	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194418.279634	Czn9fX2lxI5uFY1wPi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194478.176984	CvCU1d4iH1bbE8SoIc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194538.254895	CsXsN73WB1i2whLmUh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194598.272308	CIoUpm46m1BK32ruC3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194658.273130	CfZDpnMpZDRjkQ2v9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194718.258333	CLwZWs1XFcOM7iBjU2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194778.255249	CEhezzjBpxfv5AJH8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194838.176031	CICTgG1vKwtb1AfTcj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194898.187592	CnoRv74nedHEdmyjkd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826194958.284053	CTTMY13eLdwxQmEUei	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195018.191134	CQufzi4kimwu0vXvrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195078.186092	CK6jRb3kTdEuLIHF79	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195138.181047	CPG1ty16AqUcV0xR04	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195198.277505	CRoZFixWa6KOZLbn8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195258.191452	Cwsx7K1jndYspVAcb3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195318.276192	Ci4nvvIq18BcUgo39	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195378.246741	CnPuEB14MpNlYOLzW3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195438.187041	C7eoRlrwCUo9pqyt8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195498.328394	CuWDuG1ldpCSGAVyh3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195558.260878	C6npSrR6rnQ7mGXVi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195618.192392	C7RRQ84J0tIGqljo3d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195678.183445	C7IRj33SI5yaZ4hVti	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195738.336498	CiwtDh4K6dTM7OTwGc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195798.190914	CilBVa3bdrx6FGk4m6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195858.193703	CLptx82v1x9lXWSsf1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195918.289198	CNd3MSw9PkrXt85E5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826195978.194311	CiwZIk2awvs5Da4Yr	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196038.286860	CGz2461mxmzf9ZOrYl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196098.237900	ChmVrx3oarFtAtSK5g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196158.192843	C3QcSr2ZDlx00fzYXk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196218.198534	C6ckYH3BVvJkFjfNaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196278.201302	Coq8iB2G27UVtNDwHl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196338.294847	CZp0Ny3Sci9r9VmPOf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196398.194157	ClAddt27pKadxnuZcl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196458.194955	C4CB2H39KpiLwHQNpf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196518.242601	CkFlmA2VbK9DQjDMh6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196578.363462	CvuSIb2fIsN0QNvbb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196638.194463	CTDwXVm5qFJDYrrK5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196698.220656	Cw016h2Uk8ozHfHky	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196758.207790	C8h8r219Kcd7Qhf9Bj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196818.238833	CLRhD04hgYZ2LljWNd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196878.202555	CbUiXT20nARAkjcWyk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196938.212156	CgPXxP3awPwR4HdgGe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826196998.239313	Cs0UXJ2AKbeDpznU07	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197058.200122	C1U2422CLc05y6VOO1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197118.310249	CtbToNN3O5ggtSzL7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197178.309093	Cu0srQ1zE3BSaHsXE2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197238.207420	C29nGAWKV25sTfh57	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197298.208237	CHmxRY1mkAc2vdtbT1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197358.217839	CFijcKtqhEtpWJiF7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197418.275266	Cy3k3U15czjykz0Gy2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197478.334646	C0ZaiEfSAoyJqB9Sj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197538.212478	Ctl6hZ3pLbhz1SZW4e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197598.225962	CbHbBS2a3uc3D8s0kk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197658.309739	CAWzsQ3AUXwrrgNkre	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197718.241266	CWiASK2R7hE5BMlGM9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197778.378715	CbmR1s1hnNK1wB8IA4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197838.344394	CnFlpdUGqJIXGywua	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197898.249569	C6hSNf1GjVURlYLGn5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826197958.398725	CgN212ez9UUCZpPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198018.215078	CFDWEA44fyn4GIk02b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198078.218834	C5AlXt3x47CXmEj2Qh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198138.216728	CEQ1bq4jvr9p3heuXb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198198.217548	CeAKDk3anMWzMjHq6h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198258.267159	CffQiz4OH9EIPbI0jb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198318.222088	CjQaBs3TaKx7BoP6Bh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198378.269737	CETH5r49H1ZfUqqyIb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198438.216854	C0qmyl3BUuMa84V2R9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198498.219601	CXhiPo1fBTeIPf25F4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198558.233108	CzUQcacvfNHZJ2foa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198618.222208	CARFpj1a6gyK2Mzph5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198678.234721	CMyUC3B0rVjnqXR19	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198738.223849	CRLItB1D3XlY5yv6V3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198798.377868	C7BaGlknAyAdmsmu8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198858.273279	CmPEOG12Gncl7K0qi3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198918.231128	CCGYbsk0RG54jkrXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826198978.225059	Cv0a294ivSdFzxmU4d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826199038.226843	CvLzu33F5KubhDu4ti	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826199098.229611	CQEXjh4VZLc90BwIFc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826199158.229450	CYnvBa3CSLJfi7gHdj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826199218.227329	CXzSP74qmnBmR5Cald	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826199278.340384	C7wmi23RGI4PAujodi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826199338.231893	CMJtoi4zHedsHPF2qc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826199398.231727	CcM5Gb3Ztt5UCaUO69	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826199818.339795	CX3w9y11jG0BmH8304	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826199878.341563	C7GTliGZcItGRoFo8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826199938.340438	CeQPiK1CfZo9u2DIc3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826199998.238772	C0m5GvLYevJLZfIGl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200058.240561	CvBUsy3L8jgHNCyYNf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200118.239417	Cn8ITs2ypaCXFZwvel	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200178.241203	CaOjdH3irspWEPshrf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200238.243969	COdExA2yyszwFSHDi6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200298.255520	CRWr2c2aggkuhUvZb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200358.245608	CfWxhWnRT2tM7bYI5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200418.241558	CewNUg2TL9nV2XlOw	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200478.379987	CICmg21s0hKTnHoAn6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200538.687256	CpjbI82qhfplFtwWg1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200598.867643	CPtlXSZ1pQCS5MgD5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200658.261374	C6pTok2zMSb6Vhh7r	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200718.287570	C0PwK517hjECvdzYWl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200778.408439	CFDHgx3bNFYG9gye4g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200838.424863	CjXqHr2Cgm8t6UEPYk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200898.441277	CSpThI3olHJ0owgBbf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826200958.658763	Cau9CB2V33hWWsV777	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201018.254540	CNiE6Z1BPj4sniIZU1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201078.268039	ChB0sKwI8enRpJ9E7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201138.255207	CUpPET1kO9mDKyzux2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201198.275551	CKHgUDcPgsC4xHlQj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201258.252935	Ch6u1Z3cHdk7Yv163e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201318.289854	CZh1mS2NA0Ki3m9clk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201378.426313	CWcyQQ3HtVSy52qtse	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201438.335369	Cap0hL2AYXXzmQf0Aj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201498.320561	CNZMe04IoyvkfqTKMd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201558.320384	CBoozT2D2L47gZSMAk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201618.267492	CMw4NP3bEm0aoSt4Ie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201678.371750	Cu4BdK2rpUFggb6627	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201738.266200	CVR0s229SgYWCgzXP1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201798.263102	CfZiNN2IlcooZZLJ7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201858.260975	CAsPbQ1w1d4hUKv6D2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201918.266689	C8rcrAfnc9O4Zlz7h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826201978.271412	CpXfHz4dYKTe64qckb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202038.344449	CZY8Zs3eMu4t1YSfzh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202098.825455	C06xQq4QPdpVFcxKGb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202158.956074	C03Kil3oUyhFdXvRP9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202218.304913	CDCnro1uDTDx6o2WD4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202278.282291	Cf9mO93yeqSkKj3qa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202338.312374	CKLmFj1RJIAdZ0ggj5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202398.465444	C4n1S3GuAkVJfoPK9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202458.270082	C7NGMr1AxiXo0heUy4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202518.370443	CXwJ9dhg6zm2hcFva	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202578.275607	CAdicg1bJR5roLsSo5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202638.285208	Cga1pZJroDCdfeRg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202698.272334	CxQDUA4J5apSYxZQ3b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202758.277055	C5Hscu3qbfSlS8TQOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202818.279800	CMt7Np4Q4q1vK0dlWb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202878.415282	Cm7gfk3MJNXAhVq1h4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202938.279472	C9DzzhiOGdHpFon4a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826202998.275417	CDP1io1bPYBhSpjQY4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203058.292814	CW3Rl5vvccNvthnRa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203118.283859	CknrTa1nMdpFlTRJlb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203178.277842	CPwBMp3dnuNQANjGxg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203238.279637	CXJhpE40k9GY3mrnmc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203298.293148	CC9pif3mdp8fcWS8th	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203358.339838	CYfX5v4JmVkSlmtKAb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203418.287944	CFKOQo3DVdkfZQeHMg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203478.446865	C1bztD44LLvfaSVr5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203538.287610	CWSpDg3ghEZEZFHdch	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203598.284519	CEk2rw4CBigRu54on4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203658.453200	CvjFWdEMGrbX4IJaa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203718.292998	CXk3Fk1dDBBgilWyU4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203778.296740	C4tkx8BNVk3a2A5Na	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203838.288761	C2tQ4e1QahbzxhMs7e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203898.288604	CBGRKP2kwBhIH7BCjj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826203958.306005	Cfwip44hLKLZ0K3h5f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204018.302916	CY7hFE2BDcvhY2gVbk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204078.295923	CscbqU3LhOx28pLfv1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204138.292825	CbDOBRjRUjsITPti7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204198.293633	CphuhY1Ena6qVS0Uf2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204258.303229	CAjvZFqMRQckVHD88	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204318.297196	CQIHyL1nwLxLW86CB1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204378.332142	C1VQYNNZQEQveuQo7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204438.374915	ClMAEU1qlXll7MfCb2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204498.296670	CK7UaJ670evC1hm48	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204558.295509	CuSaKO1y6PTacFItme	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204618.307043	CbU9PO2kNTP4jLdDyj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204678.296142	CFywt34JAS9OmOOlOe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204738.304744	C6Vl0G2t2wi8WJGZUj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204798.310410	CiGbLV3qJF5Jhe7pS	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204858.301417	C9MNEXQCmKe6gQ7L6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204918.303191	Cxvle32RjTdhNBAoa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826204978.324493	CyoAQ91BPuD93VgEX5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205038.300903	Ceh3wg27r9dXJvSLsg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205098.305623	C3JZZm2FGxhVZE2rzl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205158.322052	CBvyKC3ojiLSRcSjsf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205218.303340	CGY6wx2i2sGZh55sEk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205278.385157	COBKaM3BbFD1sA4Qdg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205338.307892	CVzBUn2fmzhTmuyvkl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205398.364345	CvxeFD363pIduBfkJf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205458.311479	CSfW9w2kgrZVGQMsVk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205518.310351	CqcEOK3Ql0kPPWU7M	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205578.312118	CLyFg11AfES1hokQE6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205638.310976	CV49Q62vxqoEzbuLe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205698.312761	CIE5E611sqhv7hQ026	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205758.334077	C2cujd2eKqhe1lVcHd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205818.418825	CRdR3X2ghSHMNJYZNi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205878.319114	CFycRc43JpunQyEfJc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205938.317005	CcOY68337Zrsws8bVh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826205998.320749	Csl0Km4X8CsMysK0E3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206058.316670	Cr2qAndvYwqty6ww9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206178.372932	Cj9d8t1A2xPRxjzvT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206238.321042	C4odfzOb3LtXTuSG8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206298.327724	CCikXF1rXCR8bgiJx3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206358.322675	CnTdcrNWdBU96Yeq9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206418.433774	Cpb5Kw1Y9QC2ml7SX2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206478.335035	CmwD2woLbEJ8jnfL8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206538.446151	CcKOKC1k80YuQPuhsd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206598.357171	CjxxYX26NtyvDDe4zi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206658.324795	C1FOLd474Dm7YZkg0d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206718.330487	CiCRK63B3QHHyGubci	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206778.331300	C4OOnl4AOezhRdlyzc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206838.371150	CDN49a3SxUzHDEsfsi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206898.501767	CVnPIf4z8hT57h7pcd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826206958.338610	CoDsF33JTB8qxvBAZi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207018.353094	CMkGla4NClp7QrYzo3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207078.357820	CvZoEsffdD12uAbv8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207138.439665	Ch7RpI1eAolqtasBN3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207198.330243	CwngvlUb0WVCpHIZ8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207258.399375	C4ofaA1JnecOoJlz93	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207318.339670	C7YaAtJtUjpdbEag8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207378.337548	CFSylJ1CNTHAFo1x44	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207438.341279	CIUfakQk2M47qWDg9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207498.337215	CUzaPy1GwnuNdOGbtc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207558.342907	CJjYLd3iEq47FZ7Tli	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207618.357377	C35Nlj4lKIAFY5yGgd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207678.467498	CMuZt03Bw4cBbHmS3j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207738.447804	CAvha74acJ5ddiajF	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207798.341241	C70Gd31Koxc10Xb7M5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207858.349856	CL5G0j2fFLbFIkCa21	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207918.418989	CSTWBV9snOrJID9e6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826207978.339771	CEX4ea21BqSJDiIMif	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208038.347415	CfenAz2X4YKhEQfmbl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208098.425324	C9op7F3Kz8P9c2BNXf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208158.352927	CcCmzt2SbrAdnQ8cLl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208218.344948	C6OghA3dIhA7gOoqcf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208278.344772	CXJldD2FQZC7hLCZ4l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208338.350459	CLGjKI3GMd5OHoi52g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208398.352240	CwxXnq2wt1enNZvtPl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208458.448653	CWnN5x3CnWzPY9fiq	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208518.346965	C5Ao9414K7mLPyA6x5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208578.371204	CTQsWj29fzOi5wN5j1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208638.382748	CeQRgUtXRwath95v6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208698.354276	Cid4T82iGqdKGe3iye	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208758.393143	CF1oFL22c8HVQ5zHlk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208818.351978	CVSWmS33bp2O5etXVd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208878.364498	CkQjfS2xk3F22VovOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208938.434595	CiMyMX3LMcQ3DZeGr2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826208998.354384	C5rUvDBJcvjWuiED7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209058.435227	CjNn8S16hdtmhgu822	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209118.356985	CgkIyK6zRn3dV7Y87	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209178.536399	CUBvl02V21EqDaZBG2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209238.366407	CHjiBC3DEeUgVIzS7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209298.357460	CTuHdR1YXgef5788L1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209358.367044	CCQTULgdThdfprXR6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209418.459570	CQOCH12omvIcQLbzEe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209478.362786	CxYv3I2YmnNzod1Zrk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209538.816451	C139LO376X4xKTAARd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209598.447358	CInPrV2Fl5JUnOQ8Kj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209658.373018	C2F8Z042L1LTO5osa5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209718.371878	CjV5Q2KJqqVSt1yma	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209778.369758	CVHhvh1TwMdv4cD4O4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209838.378365	CCQHyatlmPHghdHU9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209898.371356	CKDOjq1PPhm7CigyPb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826209958.412180	Cb3Ckm3VYL4vcxmLCh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210018.593545	CzWC0t4a0VsGnrL3ab	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210078.395223	CUTKes3SAFQorZUJ2h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210138.522899	CEMQOx4xbX0jhfMPVb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210198.386118	CLsOIi3993zrOJy2Jh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210258.375204	CZaLop46L2xh9acH5b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210318.372116	C4Yjrv30s7k2Pk1nYg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210378.373906	Cwxl1B4gf3D3ilSnp5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210438.392281	CnSpV14BiDKkkPtBa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210498.466302	C5SFAg11m5IEvvV3x4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210558.373412	CYeOUbh49reONPGD9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210618.381066	CAnZFr17EJcewSFkoh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210678.444343	CZShdt4JDwb7WXqdcc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210738.786745	CjWiye3mTvIfctraBg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210798.378604	C2uFzG4GPp06r6Pyub	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210858.393065	CoidOq3wnAPBPbDbWa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210918.388978	C9eaMc1mSP0TPC8095	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826210978.524464	CTsW56zbo14NFkT0a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211038.380818	C8vG7m1d2YuTzzdc84	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211098.456790	CIYVxg2vcVAjDDVFa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211158.595216	CborYd18apB2gkPJS4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211218.386167	CLr9i7PAaoWT3xzga	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211278.396726	CKdb3l1VbJBojA5Sn4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211338.568337	C2omtfF6Y0vYnFnjh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211398.491118	Cnkuxw4D7gFDn4Kg7c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211458.395342	CNAzSh3klUFaadwRGg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211518.504492	CIgv5D44xDKNu3egAb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211578.416483	Cyq7kn3Vo9BLZgwsa8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211638.390960	CHoRNM1lGURDXKY3n2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211698.525482	CbhX5GMxL0oLKAZh7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211758.535067	CaVMKW1e001LBU2qp1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211818.464624	CSGKdRmzJCL1S86ak	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211880.427357	Chd0bT3eL2Y2Sb77Ye	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211938.496475	C75SyE2ZrLLn4tC6kj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826211998.412364	CMCZV54HqcMEq6Bide	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212058.558577	CwBZ8Q2uioBeBNv95k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212118.608187	Cf7hvW3ULZckMmaaTe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212178.505544	C3O4TH2Pz6BHxf0Opj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212238.398986	CmWSr24zRQpF7wEZie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212298.417363	CGBOEM2tlOL0yNgcU7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212358.419147	C3D40O1tt5juTR2O62	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212418.567316	CLIeiHiV9X3UArFx7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212478.954585	CUvcGV148xjasYd6F1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212538.490773	CYCe9QjvWHe7wjXIk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212598.433975	C1ZOYN3bDncEKbG7Cf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212658.488438	CfL1cy245SzoEgxgwl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212718.422866	CWlUEA3qSWAbMqtikg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212778.479312	CQVq2m2C1McDDNY8T5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212838.407898	CzuWHe2YA3bi8M2B	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826212898.595122	CJuHa91zSVgtp0diO6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213138.524203	CebWj52Vt87fOtHS01	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213318.422154	CQnnCYoNfERUepu96	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213378.462951	CvNCud2wFm7zqC9Wg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213438.435434	CzAjX71l4w2Ou7xHy6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213498.448913	CU7qn6296zVuNnHhL	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213558.431157	C2ZMFZlFEqony7ZNk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213618.429994	ClCrDK3PiOfl4YN9Hf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213678.421046	CJzIQu2M8BxeprkEql	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213738.417958	CMzU7E3Ov1ZGUYAGeg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213798.461704	CYsvvp2fWGtYAq3IE8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213858.459578	ClA6EE1TGliuGaU1M2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213918.542352	CZL04zy7EqSe6Dmx9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826213978.451395	Cm07Ju12tAq7vzw9K3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214038.428786	CA263oUZJdS4KNlXh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214098.423739	Cjje3o4EXLprJmdJQc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214158.438205	CNr7i83DXFoMH0L9Ni	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214218.450701	C41kgb4FmP08NU74Bd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214278.423204	CQi8BW2ybWDqZGWn2i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214338.476713	CnWVHk4AY7p6gJ2LVc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214398.556580	CDRKW43XqtR9IJOxHi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214458.448105	CIioJe4NpOh46qRrvd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214518.471366	C8f84033LgxFtrb3V8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214578.803035	CLuJqD1hyXfFeWln23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214638.471966	CrRHQxiuXo96bzLh9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214698.459073	C4mwMv1Ccgqp81Nyu3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214758.622869	CIHz6p5CM2tJog7Ea	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214818.450923	CdCIId1L16IwlPmTQ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214878.554209	C32537OMTPj2VKKha	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214938.443726	CAX2rl1UN1cmKbe1p4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826214998.442581	C0uSRfiTXBYiAvelh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215058.447292	CdgDMw4wcT09E2R49c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215118.470537	Cnme8i3JhBNA5iGIFg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215178.443043	C4D2HC4N997iWUE4zb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215238.472167	CwCaWm38vTzjAESvph	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215298.434914	C9R9Bt4CEv4ziuymdc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215358.444512	CBgPWe3RyIC9b83mzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215418.593672	CEWWjG4XFDBY5vlIsb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215478.442217	Cg79zq3jay5nkSL2Va	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215538.446917	CXSHnc1BBm8WQ5yO75	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215598.440880	CjXZH5QUDWMks9K2a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215658.447537	CGJPmm1yDWsh38j0a4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215718.497136	C03BNgzwNu1DPUX3k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215778.541854	CrIk7W31tdObjSj1Se	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215838.718352	CZiCuH2w8iuPLn5Crj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215898.652795	Ci7yH24UO0cfg7uQke	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826215958.455473	CuGXTM2QTwaeyznlV7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216018.446512	Cf8BoO162aGjE9gZ72	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216078.459038	CbB6GHhGpdtYfXOv7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216138.454975	Cyv8rV1dUkJNE8QhD1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216198.451877	CYZvTPcyEX5vvCgc8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216258.478050	C3lw3N1sEiPMnsPUo2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216318.508142	Cp76lGXese21S0Og7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216378.615328	C2iQmW1jUKjgmvdho1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216438.513650	CuXhPQ9WpvVJWFf8k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216498.455902	CdUVVS3ZImi4ILKiWe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216558.506493	Cp99jE2Qh5jqEDKflj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216618.627343	CwPvk64WwCUwLMPtee	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216678.455377	CubRwQ27Ua5UWkRXa6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216738.463003	CpdTFd2JrPnMYbmsi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216798.484306	CdU3881mJlhwwNyQx6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216858.464603	CexS362iNtQpIwttK	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216918.457605	CeiJlZOsZflpbgtMk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826216978.463284	CRlMsK36ULVNP63GFf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217038.656359	CtGoFu29Gv3YXtOsrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217098.472702	CWf2sE3RqnRTCwbxfg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217158.458863	CuwYOp2MSXmNVBm6Ik	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217218.685135	CD5hFN3QgeaDsKtjBf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217278.460500	CJLXRx2VrPCb7L0Kxl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217338.809744	CotaQA3DwxLMKoHOlg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217398.468952	C2Xadm2tUpkfDWtXT5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217458.473659	C9W32f2rDo2ahqEr1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217518.644301	CFjau91wtkzCvImMM6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217578.554358	CqGg952Og4YgEHXoZ	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217638.574699	Cgg3rYxadZzJUxe3i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217698.468159	CXRo1l4Ngz1gHGyzWc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217758.628043	Ct9Sg53awZHdIw44Gi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217818.476557	CUh4ye4yQkeLnX1Wtd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217878.468586	CsAsTZ2K13ORrgYeU8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217938.582596	C1GF6D1AyjZu7xpw13	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826217998.477002	CrS9xxv8aoXRoMhj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218058.883849	CaygXv1BBQGer1h2w3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218118.482549	CqJPhpsh7Ni1PheD8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218178.482392	CZRMsE1wZRZ4oj3wK2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218238.474417	CLplTyNA8LmlUcdy9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218298.507434	CEeA2v1ztZEPi71YK3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218358.560950	C8Ddnov4m8JCSZRYh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218418.478818	CJJYdo49bGjGOhGcSc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218478.483546	CPHnt83EYGrGoJwlMi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218538.483389	CUqgWa4eTFTropadAd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218598.558389	CqyAhW2iUGLVKXyna3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218658.787580	CbNeUtU9ozj3DA1h8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218718.583409	C7S6FJ1XVjDApcO034	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218778.619355	CkJvZj7FjcuVrsaf9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218838.509870	CMyUDy1ttijSND5lsc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218898.485297	Ctovsd39lWPKW4C4li	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826218958.502698	CFNF1j4A6VYjukiaid	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219018.634278	CiwjF034EFlc1cco5j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219078.491595	CQaXk749M32a2892yc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219138.488486	CFnkY93jtQULSMZLqi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219198.592761	Cd8zxf4QpkRpxAlddd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219258.492052	C8ewZ33KIAuTr2zr0j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219318.490911	CU5eFa4IEg9C86K3q3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219378.959227	CjIIPssghLGEorHw8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219438.545233	CPtwAI1Tg1IfuoSKM3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219498.525544	CO9NblvejxXkTcUY8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219558.500988	CeO7Qz1CzpFW69gWdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219618.532072	CRZ0oD2YQJDRZAnt6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219678.555324	CjzDVI3XGx7lqjOg1g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219738.527822	CUQP3q2lTu2RKoVCOl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219798.597931	C6kkMw3NAzntP1NOo	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219858.854441	CB98Y31xoCbOLXnAv5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219918.507732	CxwILj2aaVrLkNLWj1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826219978.497853	CsqpAUETTHZd5nTv6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220038.515262	CMT7d9253N7NH7FuE	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220098.578550	CPxyT21l9FIUJgAgL5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220158.735531	CfgdHi2KjB7cizsG31	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220218.628969	CmoCMVu153GasnDf6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220278.712744	CM4ppa2OO93tjbFDjf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220338.505674	CV6VTz2MVsL0Pfsacl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220398.664581	C5ntrF3rNjG8pu7kWf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220458.510190	Cqu6ot2V4e6PFPUFJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220518.507097	CsMw6A3UUVEWlrSsF2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220578.526459	CXOLcCyBC8oQGvoR7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220638.618046	CNCPPQ17GG548uCYM1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220698.513457	CyRX9MxXvdnygPLT6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220758.537687	CyslX12LTDUexMMKFe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220818.575589	CNnsrI21oW3YbLR7tk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220878.554922	CpyB9P32StZIDNvMPd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220938.527428	CmdacV2aCeT4Le1iIj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826220998.547748	CWAZJ04zIM8Uidw8Ae	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221058.528063	C3lsUL2zwrjEJyVvnk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221118.541565	C5PFCS3UW6jz15lOUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221178.570688	CiENQR2IMT6pOgakNj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221238.529546	CUcHoX3WaHBXrO8Sp2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221298.524518	C3vfgDemzTXeQrNB7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221358.579005	CxXeTR1FQDnqxa4k32	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221418.523209	C6YEWKx2D4QzmX6a7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221478.515248	CSlYJ02mKsx1r1WYTb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221538.650743	CdwFti30tGyHqJreHh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221598.545164	CPo69p4rTYwxT12Q6b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221658.673828	CoBMPv3N0EWNEqAyZg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221718.527284	C6lipB4hl1jtmyfcr5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221778.630584	CDD8b2JPKsY7NhkDa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221838.526966	CdhKPg1KzT333BHSv4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221898.545333	COuWwbIOCqtE9HxC9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826221958.534428	Cahthr1r1JrUcnfBb5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222018.583071	CVfye3p0O15mZBJna	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222078.557534	CNceTh1YpmX2OmOdM4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222138.536850	CCByjaIfOE0tF7TS9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222198.593281	C8z94q1UGSfIqu3nOb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222258.593131	Cr4KWl3UMWjjkZeCBh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222318.816482	CzB6Cs4x5vxXFJ9Sbb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222378.818261	CQqtus3LyZrgsxoA4h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222438.632643	CsXU3y4RI57UtTk9I3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222498.589524	CrhGtoRoEQ8gigHA9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222558.568852	CxpV0u1UZukDABukP2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222618.564786	Cm4umy6OU1euvZJC8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222678.624152	C0034F1mPsRfYDQ1Dd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222738.578089	CXT7bW2yF5shDltRJi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222798.596391	CZfVXb4HWO3fRYeoNc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222858.573723	Co3f093f0jiq0cimZh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222918.646725	CKBICn4em51h2gtKyd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826222978.538235	CXeBmZ2aSN6tDdMzFi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223038.987043	CPpk9f4DV97kqsSKTc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223098.542807	CSNkn539eu58ciBI5i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223158.613896	CW2KZj4jKCs6WIPdr3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223218.551280	CT4HOpdZORAHI4Mj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223278.578458	C5q0mv1W9sP3fL5l43	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223338.920871	C4eHqx0GyjreSUKR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223398.710865	Ccvk8E1vOxRzfIZimg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223458.611153	C1PUBl2NXOxcSszVsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223519.399189	CNO1nB3qJW6gAmqPyf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223578.634244	CQACTy2gSWRYMP2VKk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223638.568696	CkrOyN3kroRQioFUY	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223698.552911	Cfoj2Z6QBXtv1OAR6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223758.619132	CRkpC42N6ds90OHV3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223818.616998	CAuvs81Rq1Sa1IN8R5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223878.588534	CCAw8f2MQ2uii9qZH	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223938.560053	Cf7on01C1qQJP1fFA6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826223998.553003	CPSpX52zCo1h1vEWi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224058.654340	CiMNw719LEfZf2q966	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224118.580976	CUyKce2NKTcUNUe1ig	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224178.669638	CjHjNo27dy98Of8Eol	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224238.648991	CjUuyE3sPaWq2NKbFf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224298.566850	CyOEgv2ags3TWtHhRk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224358.578406	Co0VVJ3Zpz4oluOrr1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224418.601677	CP2XMQHowYxDqiDe7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224478.615185	ClWatX1wWrgT0ptKj2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224538.557437	CaJPNGiri22vSzrc8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224598.601200	CQnAnM1mMUOMVNejbe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224658.584449	C76czQ2Ez6yNM5tqnj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224718.714092	C3bbe54r9aPAVO6t1f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826224778.590942	CGxpQD275K47ZyI48k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227058.642220	CARRBT3YaA5El48Gfe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227118.588374	C9iHmN2uJsjHdL2Nrj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227179.008863	CZ9C124PqcS3QQUbVe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227238.597804	CqohsH2vkLavNncN1k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227298.642536	CQmFdX3Ju29hkccsI1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227358.735113	C9oMqPztznYFSZDv7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227418.698844	CPs47W12wLEymaFO42	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227478.606937	CUvrIHY56Rme16wX7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227538.632140	CStgiN17bCet88oxsb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227598.843766	Ct45fr3bD2OkAbpwEg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227658.607429	CTkdRF4wd2pNDVgxfc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227778.631493	CiCuQd3QpuOMyFhlmh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227838.700623	COLuDt4YgrIFLvgba4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227898.735615	CD5F7g2zQjZ4pNzX9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826227958.728618	CplzPm1HOCpPKDPD55	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228018.837749	CMBkO6FrGMwcRmdYa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228078.611153	CkYmlc1aS2TAxDWbr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228138.664679	CBPxLe4xK31tW9Aea	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228198.822629	C9Sntl1J6YS3WrpIQ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228258.998144	CmZ0J7XL44kGrChJa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228378.685506	Cy0Zfd1DE2wqitWTwb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228438.978170	CTgv2o3LEDZLphhTIg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228498.661770	ClIHEC4OvLeeUpOf9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228558.651863	C6pish3uzrFeBw94gh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228618.701470	C2Smfx4qqRLw1qGHW9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228678.650545	Cp8iTp1OWC1BrxDJK4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228738.665995	CVDOgb3r8sr0yNfja	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228798.694152	CycTci1RQ5i1Mvaqc5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228858.666644	CEM5q2F5XdDENPL0h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228918.714285	C1oMey4fQi2Nbzkmdb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826228979.077767	Cvodxr3iHWv4Vp36Gh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229038.727630	CYBris4ACMleIl8yNb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229098.860212	CKxcLm31ohk7LZL4Vg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229160.016217	CLkXIB4H9A2YUaXE7b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229218.786701	C18k1v3KErOcxt03Lh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229278.847042	CcYeYo42YF7lCbLuSb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229338.642872	CCyVqj3Czr9xHAv1H9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229458.657132	CthOXq1OZIYuMsM3v4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229518.649148	C1YolchBhC5S2Jvza	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229578.759279	CSHB0h1Hw7OgqnqGs5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229638.661509	CoBSd1wCkNyh8fvMj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229698.619359	CbG9dY3KtLuCpw9iZd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229758.681659	CxE8xR2Pcy4G3o60pk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229818.639541	CMMpFR3PMfW6IsXjwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229878.937049	CMLj5M2RwQ34gvSVa7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229938.677242	CzSvVZ1pkCbgUJfQY1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826229998.670222	CHXjgLwXW6zL0hjA7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230058.696392	CSZuQS1MHJsShyHGt2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230118.687435	Cu4o5D19R1Ek60gV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230178.687273	C9q5012x3FjiZJ3aJ1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230238.666614	CbiPkMIk2JeRxAzQ7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230298.675238	Ca6iER1eHss3iSGWJ2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230358.663380	CiP6TBiWHoGJpQNGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230418.669078	CbDfH14UrnLRVx4BTd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230478.769466	CHMi1V2DFEweqTMWtk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230538.701949	Cc59lO3xGbuKrlYgBe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230598.701785	Cun7LI2EQFnqJB98c6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230658.684023	CdlWEa2420sRecyw51	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230718.697517	Cb5uTUpFZRqYN3rP5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230778.669049	CMqSii2XAJJjybPjD	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230838.655236	CYhTD31bhvLrgG8bNl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230898.676545	CZvZQz3BwJFldS1uUf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826230958.677362	CrNehu2GUcZ6rIYZ7l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231018.675249	CAcOPF3Qllu3I6vOkf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231078.648723	CWmA9z25zRhGrWoNSl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231138.705163	CxuZnw3jWA7OInY50g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231198.675715	CXAaOq2S75Vm6K9Y2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231258.652131	CQPabJ3O1kzABLlMff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231318.682228	CMGSuC2maas3iyTIr6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231378.688895	CbJsB924jw7GbJB7l1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231438.682849	CnG4QTRMMyqUNB5z5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231498.666083	Cagbwj21m9ssbpHYm	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231558.651282	CIsgR41SiqjXyYoC1j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231618.668673	CLlTU94E3VdDg3S29d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231678.701684	CB3Rn43ByfEnY9UVoi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231738.666386	CorHqg4R2sQPvYmxBc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231798.665239	Ce7NI93PoU8MYXmJX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231858.658224	CdysAA15HSrpUVlVQ3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231918.705874	CjksNk8wb7cO0xxy8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826231978.670582	COaoHH1qpaKyvfwym3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232038.659686	CMYf5ttO1N6tPmkd9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232098.654639	CRR2xz1JqKVul32w64	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232158.749160	CNsYJjmITqqIyqci8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232218.694336	C48MUI1mc4tP1q5d63	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232278.658067	CKCziu8I1kXCOhe7j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232338.689134	CJROr64ynvziju4Fed	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232398.689943	CFMQU03VBHUg89MTji	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232458.685863	CKx0Mj4jsfe6Mazvwc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232518.661313	C4za4d3E46nZoOAdWg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232578.668970	CV8p7C4oshLC2dvQ8b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232638.677580	Cz6gpv31nP2MQbecJh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232698.834546	CGg6Jo4Np3Rj08IGQb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232758.673342	Cm1hbj3jxIC9MjgQF9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232818.695626	ChMVzq15csoGyrCUt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232878.693516	CH6SWb6cepyKS9kBa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232938.676758	CiMkgh1eoBmGCtWwu5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826232998.696103	CyjXs13KQMgyISQU9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233058.672523	CBJ9Ep1NJRUw24zVI4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233118.673347	Cnpa1bi9I5AdYAoka	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233178.684889	CajlBi1mBsjjt9HBd5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233238.710110	CE32O2eAalc6xfA2h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233298.683598	C1Hvuy4ERNxwXyPcfb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233358.812265	CfliMr3N8astV3NUEh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233418.818938	C6lzUr4tSxwPpfXoMb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233478.726052	CKUFmm3QnYnVtwv6X6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233538.712213	Cfgaf12OYwBu0FsYK1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233598.675928	CVKyAMl8FzYpSpqP7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233658.821184	ComLfR1Rs65K5HpLI2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233718.692187	CiIevBhTbEz5GMZEj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233778.695922	CRdBr14FlR2anlgKRd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233838.705511	CvtaMU26De49jhk8vk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233898.768793	Cib5JO3G9jz1QfLpCe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826233958.691530	CQzz9J2RS2f3qR5mLj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234018.686472	CXDCOX3h8pqqNJT6Yd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234078.765344	C5fg9R2aIrvDQdDQqk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234138.676343	CakuUR3uI9GLmNn8ye	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234198.788417	COV2lM2cMdtUmYq7c7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234258.724814	ClKrj02eFCq6wJ3ZZ1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234318.692441	CJVLELnQonJonevy7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234378.781109	CYlQAS1xNVnF0sUPr2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234438.715539	CIwfQC6yhVCAiRYRl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234498.765130	CVvR3w3kxcEIIekfZf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234558.756185	CZeHuq2XpSerRw2u4l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234618.754067	CGRQlJ3xQbXZC28ghf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234678.682658	ColdGC27a1bhCXNzs6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234738.705925	Cx50V923kWUfCFLVl1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234798.711622	CR88aUShHK4jOaCx5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234858.698771	CKFVkj24OxT44Wvsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234918.694710	CyYwG41ZK2ILyt3Ed6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826234978.883896	CJ8CPa27HbtLkyl071	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235038.712921	CtvO4VclNEkygxCO5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235098.696154	CAdKYh2CuOHOY8ctC	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235158.697939	CqHpk31ydW1M55JHLl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235218.836370	C7DJFz3WbUyqwNRXSf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235338.920938	CP0v6u2BhBA6yxUQ8l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235398.737276	Cegl9G378dSLVsGClf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235458.732217	CIwDtz2YMLzCMbdOb9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235518.757406	CtYimz1MEtby7DB254	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235578.831421	CNJIyjhJ6eealC0j8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235638.732696	CcbPeJ1d90T8zq0473	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235698.778410	C8Q6CuJ4jaV3V5I8j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235758.710891	C779D64fl8z4tQXagd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235818.701921	CVFw513QlVSpaQ93ji	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235878.700775	CqMwsj4ughQ5782Hvc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235939.808964	Cur2Kc3ppwqxJEzq2j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826235998.908367	CtDWea4ZHPfmwXLT9d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236058.833061	CzvoH43gMUT04rJpni	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236118.756764	CkMXfg48KQbe4tV3Ac	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236178.750737	CyCxx93IhHybnfJSW8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236238.758377	CB5ZgA1m2od2CtN6Q3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236298.718200	CrvktkXjRSlFIj1A8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236358.744379	CEIISH1hAr2j5do4o3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236418.820342	CuaWft3mjHyS6Fgxd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236478.762593	C7ZgbZ2570Mm9OS3Ei	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236538.720468	CfwEYe4ks8XVgJuBUc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236598.720300	CCyOG53kGa4klj8x6i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236658.811881	CO9Sjk4EPgNMTjZJs3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236718.736563	CPXqZpgPXWiB5vfl9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236778.761764	CL8gxv1FAbrXFWTw33	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236838.741101	CmaE6xBkfapbQZTQ8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236898.722394	C6hNOD18E7XbLyYZI3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826236958.714419	CJJ9Noy1EcNPHOvB9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826237018.722085	CXd3lu1DQVOGdSHQN2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826237078.810745	COv9by3iedgNv7eB8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826237139.031717	CINmTE15mrpqtUFdCd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826237258.752607	CVB4RV2dELRJEoz0Ji	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826237318.847110	CzNnEb42GntSfGpUOc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826237378.904555	CKHYa93a6sKIkFJP0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826237438.753128	CQ5YNn4hGKqRtLv8H	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826237498.727592	CBLQ301DP4vnw75Rz6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826237558.949964	CVqmD52ygcvVWx5qk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826237618.841486	C2n3I71iiiC56yBF76	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826237978.730259	Cw3une2WLMPGaAMPig	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826238038.726230	CDGr7p24MVKwVqMupl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826238098.730892	CRgYRE3VnYSBB3SFDf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826238158.744403	C2NY5v2fiF9iEfVNPk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826238218.757871	CemAKJ3eEnRuxlpMng	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826238278.772353	CtIaNl2O4p8W4zJrul	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826238338.739988	C7CLxB3pwn31cAuYxf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826238398.789594	CEx5Ay2HpATATwR6Kk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826238458.816759	CShLeN3FBpcOAyLoX	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826238518.761940	CjBDRYV58KiVG07Q6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826238578.781285	ChV4r42SpuC39oeK4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826238638.756717	CeIDM81OvxDUUNqZR5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826238698.789742	Cub0sf2ZcwcsFKbuhe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239058.742858	C9HlCN2xY4gG3VQDtj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239118.817844	CJsKg246wVCmrrn0Ue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239178.749343	CChl4H2mUqB0irpE0k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239238.770674	CU9dPW3S3ByKQIGBG1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239298.761685	CJxHbP0mTDXVUAPt7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239358.746873	CDZkRV1J3zv5iOPX52	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239418.919459	CYeY6IRvc4njanHY7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239478.847061	CiA8GN1em65NvYfgq1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239538.746371	CBa1pQE5KhnHnuud7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239598.748166	CZXI4X15WZLtg0wyl2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239658.781183	Cumu3HHdCFqgXmie8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239718.803472	CUUICM19pZnu42osce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239778.818943	CT7JXQ2vOJQK4PIBoj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239838.753386	CbA3C54qH0Lk1XzCZe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239898.798115	CIZkBD2AmgzJOcig6k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826239958.766735	CQG8mT3RvrzdAWbns4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240018.815379	Cnlq9frWa1EcZjJfa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240078.990916	CbKURl1uhEBlMEYTO4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240138.857062	CoVht7OPTSeOo6rHa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240198.789568	CIiU0d1QR02RLG7Lvb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240258.770860	Cjt3En3663YPNgJHHg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240318.877996	CvKLgC4dogVsjKA6bc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240378.759724	C47rHh39IsDuxDcShh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240438.752743	CCp1vx4wGyTGcqYIqb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240498.795532	CbMlZq3uBdROVdUFCg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240558.806102	CJo8CF4ljJaHXkxIgc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240618.805927	CuTmee3txXtUzOsunh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240678.804787	Cgp12u4l8m4FKe42c4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240738.827089	C9vNmgR6cFmBURnZ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240798.758610	CxAd5n1clQ4WRg2v45	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240858.757472	CuvSp6aWAh3egQ1Xa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240918.765106	CMHqXb1tSOWlTjEok5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826240978.797143	C3aGIJ2hVasp7uwa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241218.771213	ClKPnf1MFaceI1NIC4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241278.766164	Cc6SYcK4PBVwqdlJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241338.777724	CoPWJs1a5OAWbr1P0c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241398.765852	CN7BVj3i7ogp00Y1Oh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241458.768609	C7XzBq4pXHfGkOq20b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241518.769419	CC7knu35BESKh3qISg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241578.776090	CaOnXz466duYCW5zKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241638.772991	CpCS7l3ii7zt38ILxh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241698.791353	Cr8NNr4LRpJQlDBIfb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241758.774582	CCYNit35gYbGf8ho8h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241818.771469	C0uNSy4JZ1N2AgHrf5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241878.863055	CLNS24x7YSefzuxra	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241939.284125	CxJ6Ii1wki24jPQpI4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826241998.780750	Cw9Hu9I2NMq6PA2P9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242059.025161	CO5Qfp19P3fTyHEyJe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242118.790175	Cd2lgJ2lvFgSvekYwk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242178.788064	CxXVXP32bniWRhYVLd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242238.835729	CQRQnU24ePaWTh4uEj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242298.779917	C008VZ3GaCxphVkCB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242358.860709	CvtsoBC0BoZ4JyAN7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242418.804890	C32Y0Q19mjQsspuMQ1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242478.905255	CUvQYM7ZQrxMKhCX6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242538.810416	CuRFL224aaTaCpEFw2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242598.786827	C9bJIEG17T1EQxDI7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242658.838395	ChqalT1vSrwaj8TtW1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242718.874347	CQyKuJn4D3tXImj37	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242778.838084	CoJvhZ1ztsloaalite	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242838.787168	CZVxsK2dkyowOUkIgk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242898.920704	CFcdaR3qYHw26HQB1e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826242958.863934	CckhjT2Urk0ewhgaUj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243018.841315	CAFCQY3XyEca0PKhv	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243078.829442	CzZbm51VVVoQz9W5C5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243138.797073	Ch9e9l26trionDird1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243198.790087	CeKScTGjsI0ukuqp6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243318.790753	Cc03P72sxr2PQYMq7f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243378.939943	CHju0C2qMmzClPu00l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243438.803122	CVFyxH3Ni7qMT6MJ7g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243498.837082	COGTrr2TdKk9tBt8Vl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243558.806671	CEWP9y38Qe50CYeMnf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243618.902231	CnubNA2W5FZi1CClgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243678.799713	C7vbkG3DgSwPDa29Sf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243738.801488	CMinvs27UFBEd4qxFl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243798.797409	Cwlfdz3tcx5e2NzjA	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243858.808938	CnmP021ZqvnZYu58H5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243918.824396	CnPVNh2kTu2Zun2P71	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826243978.811537	CCLSFWEXS7JFOxOj6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244038.808443	CKc7ib2JO2RKDcAcoc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244098.843419	Cp5ezc3zLkI2VkxTgi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244158.807117	CntW8i4CinXR72slmd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244218.805965	CWL1y13eMnyLaAMw9j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244278.871193	Copde84S9xIduEIye3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244338.832976	C13XMuevTl8U0bal8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244398.829901	CJ6nyK17sGcJ9MiSY3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244458.854146	C4qe6jP6VuwcInZa9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244518.802259	CqebLx10VGz9DFQAj3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244578.812840	CBWDrrw7AG2lOYbq8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244638.889787	CXEZcH1HZC93NVpgT3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244698.804714	CaUizmlcGlxshbn59	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244758.866022	CivbeB1pxMzc2FGxEc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244818.840494	C58Qlb3Xq5N56aYexi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244878.841322	CtPCVg4gWDbIkasK6d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244938.838230	CmsrB23AS1mv2t6WTi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826244998.816588	CQgHh94SMB10cBO3Q8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245058.821315	CPoXdC1QtfPwF1PnX2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245118.812373	CpETDwnxSIruShqn9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245178.913723	CGPxQw1x0yxefEldA3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245238.866722	Ce4zaqrqdhOrn3n7i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245298.921238	CF9GUl4pHXqvcjDK0d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245358.819586	CluB963IEgYBmSUSBi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245418.830157	Cw0mFd4AYzvxesrNpd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245478.863177	Cmmc0Z27pYUc6esmSh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245538.856182	CTZsQm4vbUSs9WHJLc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245598.824786	CdZj573mwbzJB2qOSi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245658.816823	C8dlkc4UJEFL52DIGd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245718.819596	CKl7FX263P1BV7bHJ8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245778.876048	ChERQF1w2PQ8bVv1R2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245838.875872	ChdSgA30yqB7gFHr9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245898.863029	CKu4Ft1bAf9SxM2vE3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826245959.038160	CkU9ZmsYYV7FsJYSk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826246018.825643	Cz1jQL3Snmi7cPV8Mf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826246438.824533	CBBt3w2RZy401OQZkl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826246558.835921	CspY3D3BhPkvmiD19g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826246618.829895	CiVsro2f5QDbHETu46	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826246678.850235	CZmPhc2nZrN7OWNWb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826246738.830559	CdjyK61aGJp3552mE6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826246798.832344	CScpr72KSTgZYfmWQ	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826246858.832179	CadOJ01556xbWdz8Y5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826246918.902298	Cl9NUf2NlyJ2Xi9A5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826246978.837724	C5Krna1a5JgpPSMDI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247038.885394	Cwk0g42oEICnKsNdV	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247098.844228	CI7lyX8ZraklLMXDk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247158.856738	CVJ0MM3mUaXYfvj8xf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247218.840973	CfDfZw2hmqJnk36VBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247278.845693	CoGTIB3vdpkqJhcXpg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247338.855270	Cons6n2AQk0i6YUbZ7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247398.872668	ChuUcP1GzDGOX8dNb2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247458.842250	CzaYuIHoEnpEd51s7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247518.845986	CERfCU1tlDazIHnrz1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247578.851689	Cizb5P10Jdd0N2a0k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247638.844676	CB4siV3FuNcHsqRaOe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247698.862067	CvShGG2E1pLDCMCsvj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247758.911671	CgtRv34wtcf0u7rEoe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247818.879290	CGfPIN2ddaERl1R5fk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247878.855719	CVhQnU3h5yr22il63f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247938.917065	CpMBLF22JlXzW4fsej	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826247998.846648	CS72S444orHK8FJD7e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248058.850394	CgJV4P2kVSGZSV6t58	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248118.853168	CBD2BL18tkJfskJ4i2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248178.851054	CfFaTEDleiexXbEn7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248238.858695	CyFKOX1B4JlZY1O4v1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248298.850725	CqAKhSwvoCqb7qoeh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248358.853490	CnGHkv4wzL7pZSkh2c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248418.885526	CDNKFg3ZkCW1buhwMg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248478.865847	Cc8v9E4ZqOAuUpPUFb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248538.858860	CS85oo3R5Y7EUzRUKa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248598.863576	Cx7bbf1ZTmJY0kxJX4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248658.858523	CtyZu84K9U1PsFUaa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248718.861298	Cyn7Zj1qliLmo2Idi4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248778.859179	CcVopedEGkTW5kcRa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248838.870699	CFknzb1Fg4GQFsF045	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248898.875419	Cjs7T46o7vfm77y6a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826248958.899648	CcbHbn1Q5dRKRWPQd4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249018.864386	CGxUBhGXEg1jjQjth	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249078.867101	CJi1qu4YkRyMci5dhc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249138.866899	CtL8Lf3TKyJq6mBvvg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249198.876445	CioCvF4nOf39PSsUob	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249258.863540	C4CgKp3gKFNqnhddTh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249318.949260	CJ5Y9n4UW2EMQK3yMc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249378.880778	CVapp73nsC5iBFPkRi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249438.919666	Csm39c4js4VrSpDcFd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249498.916588	C4BpuX2zF2DeN58TI8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249558.883238	CFVPwF1v3pg4GGpaQ2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249618.870405	C14iXzSoayGeD2et9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249678.869265	CQMQPt1SW2BcIWmYF3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249738.875938	CULnanN39jY69dAO8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249798.879699	CtMF2C1hVFxZnkORV2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249858.873691	C38ctw6LwyZkP1ho9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249918.969767	C6a3ax1sqTCEvmG1B3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826249978.872403	CwuEuqMZqHw8mpT8i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250038.871257	CdKs5m4uQrt6W4Wd2d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250098.889646	CnEPk63HTpJcrqQ4Bi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250158.872911	CCAkld49QPHDWNjWod	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250218.873732	COvCGY2yuMFfruRBZ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250278.874538	CZo16g2E9l13f1w67	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250338.887065	CR9eya1pyP4JRIEMH6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250398.879104	CIzqW32RyLogaLJpU	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250458.879920	CUwjeXfmzyKtfLrCk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250518.888560	CjnjBM3rAiVpptIEvf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250578.898170	CfUXNw2k490LxWpJCl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250638.880507	CygZ2C3cgWZbAFWNqg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250698.881338	C2BXpn2pmJnWYoC7Sk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250758.997899	Cb2JwL3ZYi5hTdTkLf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250818.914243	CdMrJv2iycnDJ9atml	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250878.887750	CMqcfD3yCturS51yag	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250938.889540	CK6fCo2Y4Fm1yXej56	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826250998.908891	CrEUBc2OxPxziKzNc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251058.901889	C9e3471TEM6BNX1QC6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251118.886125	COxHg72jM2QaICMsP	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251178.894743	CIbwy01CSFYMDU5Udk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251238.889686	CZMRZT3C4BSW5DEX1f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251298.908089	CBrbnF2rvPrFF3aggj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251358.887436	COcF754laVrNg6Ju9e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251418.918515	CcY6kP2ZZ1ljvS3C68	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251478.896887	CxYwZL1dV20x6L6gj2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251538.901595	CND4hF0CTi9tMxNl7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251598.893636	C4vEzX1Y69tUwlAgt1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251658.898345	Cq342SzFk5wCmRZ08	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251718.893305	CvgxsP1lYIjDSZdEd2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251778.895096	CN69KI60S9NmvlPq7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251838.895901	Cg4heU1Ww8G9drIiy1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251898.895715	C2WKGOKhNFImIpjYj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826251958.894582	CxFl3V3AYwtzrQEmMe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252018.924681	CV6BqG2VdW2sjOABwj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252078.901098	CSzlU345NywycDPPpe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252138.910683	CUZI6O2YIZLw607oPa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252198.907574	CPEGjb1apVMke83a25	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252258.903484	ClS0E4xLn6zZ7vJ7a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252318.967273	C21Bzn17sbjijIOZe4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252378.912848	Cwto0iNm1Jt1lQavh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252438.926355	CPocFu47vt2Mz721jc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252498.905693	CVqL0g3ykDdqahVmug	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252558.902612	CMUb7F4s9MJhVAJInb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252618.908308	C2Ihmp3POewIeJMzfh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252678.907164	CFOBIv4N74v8Rfiq3c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252739.201367	CV1f4h38etxiHY2IKg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252798.934171	C4LOTD4GXi9fPFb4Eb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252858.911565	CCRY8o32qMHYKpaMJa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252918.920173	ClSKMe1sJSSeTWMxW4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826252979.015256	CLS078nzqYTfoELca	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253038.913020	CeIiek1XlJy8uLD1k4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253098.913839	CeP1Feb0AYhNS5IIb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253158.920496	CJvHSk3zotOGahLXvh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253218.912474	Chsayr4sE6U7zFhRgb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253278.914220	CGreHt34aOiePm0A9h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253338.912114	CInMgz4ympC5jkUfh5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253398.914923	C1tzi4UxcU0bS6ota	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253458.918705	CNidXi1tYSpVWLseH4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253518.917565	CejN69BKqxDk0CTN9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253578.920324	CE9mRo1gaAudxslxl5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253638.927971	Cxo6710S57GsKRFxa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253698.918042	CtpOLf1HEsf2X2ORA4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253758.960352	CcLGJcJZlNpIEhxH9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253818.920563	CUUjus1VIruWCNEDZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253878.977586	CNYGxj3NoaPn1B0TMh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253938.921223	CfI5dq4YJssbugFQ1b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826253998.924959	Cqu0Du3kH0UcEK3zUg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254058.922838	CY4ucA4teZ2bkwHwv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254118.925608	CxQekEnBXyuIsasH7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254178.921518	CbsgXS1QtSj3TkxkY1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254238.924237	C2KQJJWQxwMwrA757	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254298.945549	CYgcxZ18C09Hck6uue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254358.930755	CfrwQK2CbkjptC1Rhk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254418.931575	CVxDyR3fchaFSJVNZd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254478.927493	CYfE3T29NiftvSgjSj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254538.930243	CerrBY3gHyc7VOhpLe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254598.927136	CJrrvJ2yiUgjRRwMyk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254659.050546	CrJCdQ3pIz8mii0NKd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254718.934655	COLmZT2VGXebHNFiDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254778.945240	CugexZ39ney0uzoOz2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254838.951909	CJHP8BDAmDquVxJL7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254898.945901	C96NLP1mPJRoR9eYR1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826254958.937938	CSjPmNYKASGN2XKY6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255018.934852	Csv6a32jtTQLXsgipf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255078.932744	ChQSXA2Vs4pDKBdPhl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255138.978058	CxdtvG3wxju86eIkRf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255199.037442	CiIhbs2EXH19EDFGEl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255258.943011	Cq7KTy3g8xMr1vhQy	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255318.937976	C16BP116RZ3HzKIBF5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255378.936804	C1p9Dh2DgB8r8uaG81	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255438.942466	C6wsZWXQh23xtBCk6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255498.945244	C6N8Cb26umo62uptu	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255558.943115	CxH6251AfklBzkafB5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255618.940043	CDdJPk21Gy97WHiXe1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255678.939884	CQoAnTtu4QvqU3Uq6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255738.946546	Ck1l082TcbPGp0Uh8f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255798.959638	Cvi4kC2ZljSI8pxO0l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255858.942307	CBuARH3UAJZjsIsg6g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255918.943103	C2FFgr2gM6hXCK5CTl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826255978.952270	CSK3Zx3b4QlfuKTok3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256038.947620	CFFFLrtZLvqa653r8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256098.952922	CxOzwH1G993cNA2KR3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256158.947284	CECwomerM80O8RT39	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256218.950572	CqEX2B1oPuKNtEVGDc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256278.950427	CH2l2b3UfBR1JoCqwi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256338.948722	C5ExBg49Ufmtsz2e8d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256398.955968	CCjJM23NWfWyL66sVi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256458.950944	Ce2ps94EMZgmhheGmc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256518.950800	Cbvroc3s2CEbUBeqfi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256578.962348	CNjIXh4b6V65zvw9nd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256638.958265	Cyc3S13rU33UzgUnaj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256698.966875	CwgNx84f5gBtT9k2g3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256758.955000	CHFeYuRiu1tUKbGm8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256818.981197	CxD4JK1kpGBTOQy1Y3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256878.965414	Cm6JMi8ZCvo323ba9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256938.961351	CIO5rx1N106wdv0ggd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826256998.962186	CdbA613PQeyL1Z6X8j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257058.977647	CPPkG64cqwD052LBvc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257118.972604	CEuTIc3ASBeQ2YeNii	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257178.964625	Ceo7pj4ymOQ9EFEX44	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257238.978134	C91ExjiAYJ4Zpgzb9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257298.961371	CZk6jz1v38ReSdn973	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257358.961204	CCzeDuNKcz4svBgj8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257418.988368	CCEdiJ10owPexJa2Q3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257478.964774	Cd8kskGxtH0bgsDW8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257538.963626	CH6IdA1vKnFZ4B4ao3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257598.966389	C878ht11zMDgiZgA8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257659.124337	CUY2WH1FqHB5cfuY9d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257719.025602	CvHnI43pgHU3M5VF2j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257778.972750	CxFcia4qIxovFCkYzc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257838.988161	CCukw93stI37jj8ani	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257898.970378	CezCcg4RsJ8Pyqs1m1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826257958.970224	CR8kbU1Y7FYbatPs6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258018.973008	CrikY92GGaKzIYSnl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258078.979685	CUvwF41YXvKls2Umx5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258138.973686	CgMEhj20Gn7a3bJ9Zf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258198.980376	CD1utq2Wvy3cbogJRl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258258.974347	Cfow0w3NHXvyfHQkhf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258318.979060	CGAcHC2PEo0tSAnJ4l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258379.042341	CoQ6pJ360MmNfXASSf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258438.981621	CT8m5u2q0KbshXNrLl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258498.980480	C1akCz3FE6zAeIIHlf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258558.978357	CaZGuz2BgYIPS0W59l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258618.979172	CM1xcG3ZNlzmcWH571	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258678.982917	C7cW5VT89Gtd33Ud6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258738.984715	CZE0Ta2QGILVgrfoC	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258798.979677	CG3lj31C7bWW3fAnO5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258858.986344	CcvxVh2rbp95jTRPRd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258918.981304	CpAnNU2jxx5qSMmfFj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826258978.987979	C7wWu14Kq3Fv133lCe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259038.984881	CCeA8J24xACV7sYSuk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259098.983739	CEmPFO3mRDjbeFMSK1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259158.983560	CRAmzMUKqZ66SPQW6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259218.984345	Ch9Qb12fYeuU3s3QI2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259278.997890	Cm0fwBr0Sag0aGFP7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259338.990890	Ckm2jR1IfaGNO6ITZ1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259398.988756	C15EDLaad08UWqRb7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259458.988584	C1k3g02lQZ9blXRUr2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259518.995258	CSZjRChywhDCUaKy7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259578.992149	COa3ES1XSUBsk4bcYd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259638.991957	Cz0paR2hhf4PBb0CLj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259698.999553	CDh2SX3Qc7eXRZl3ye	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259759.002304	CqnZjM2yLyhGlZABqk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259818.992412	CGIiRR39tcSCeaAZt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259878.995197	ChFWXbhxHBkJDc5G9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259939.010645	CHv8Dq1Ue75MTtAru5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826259998.993883	CupPr12LUpDeea4Ba	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260058.994683	CkpWch1gb1Ikw2tL8b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260119.000360	CPucov3e4htSQWyYVg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260178.997278	CNAd4C4ZCoaQSFZLQb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260238.999066	CgSpcj3Ja9iJLi8sJh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260298.997944	CWOvMo4uxlxUvL78fb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260359.003590	CR2jLr36zbdntiTk2h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260419.002447	CxPfry41PDy1FxyuMb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260479.004239	CKWSnm3Tei1NtqnaFh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260539.002119	CgIUXr4DnKjQjzc0J4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260599.000967	CxCa2bZitF2Uf96V9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260659.002741	CrOqHp1qEdvQ3z1wd5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260719.004517	CqWPM22uzFfoUU8ka	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260779.009235	Cm91yi1gMXvoCLIXHg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260839.006152	CNhakC4OTXtBt9uQvb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260899.006966	CV8bFn3B9ENfdxfDhh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826260959.010702	CgIOrx45hzjrr7E1bc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261019.008568	CismGh3FgxnoyMotfa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261079.025985	C7ivOl110m6w9bVhs4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261139.007288	Cpsh8fG4acKiN7GHa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261199.011013	Ci564d1QTQkoVY0ZO4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261259.012811	COmlu7jsk3N15h8Z9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261319.014622	CPrS1n13G4mff6tWb4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261379.010557	CPiAlg8QDke5pbhXa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261439.011374	CsFG0c1GbT8lEQKz45	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261499.012190	COLRq6ac6jKlvzVCg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261559.017896	CBAsFF4cPYd2j6FOqb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261619.030434	CdNx0r3zDy87z7cfnh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261679.015624	CKuKYt4hqn9gMiUDgc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261739.021299	CSrmde3uwFNC8hW4u7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261799.057228	CJ2BUV1E7F1lm5pGG1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261859.016050	CDIGcPPhdSjIXLrY7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261919.024671	CeoNCN1DJr8wJ2fS52	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826261979.153343	C06L5IP8ymh1Rzotj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262039.022404	CRutd24TiLDSq5zphe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262099.020289	CTilBN2iV5Mm3W4U0k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262159.032811	CcrxSW3Q8j3ZgU36Ue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262219.027774	Cedx5H2tCFvm78Mmoj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262279.032466	CFVQy54HrNLWKZqnce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262339.024512	ChqEWQ2cZO5rWrhw6k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262399.022397	Ce9xpT3eehtzuFWHZe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262459.037847	CeKsCD2iDEx9vwvJd7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262519.025947	CFFU7X1ECbXiqyilq1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262579.053102	CVG4qQHKFU4Z9s2e8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262639.027550	CGvjzM19jtBaoPetl2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262699.027365	CGql2HeglZr733Kpl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262759.030118	CFkfVE3aItOQB0qUig	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262819.029939	CPUr8p2vjV3PEgfyPk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262879.030732	CobgHJ3T5xXhmocADf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262939.031549	CQGM4v2Du86uJXIBz6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826262999.030389	Cpy6A52BTQCjcTN3H	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263059.037025	CfuR2014uJdDuZbV76	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263119.033946	CEpPqe2QsbITlLGvk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263179.033778	C4qgJ71puQEkxKYRP6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263239.035560	CboTn421I0pnUsJjX	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263299.035377	CxYzQYSi8oIZPkfS5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263359.038144	CMKpvf2iimdJR0wP4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263419.042855	C6yMN81w41eTbOFGul	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263479.037751	CzmYAB3WHTiF39nRng	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263539.036572	C1gfOl25di2KxNRQJk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263599.037390	CWVmbN3dNFq2jF8Txf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263659.120188	CyCXyy2EymTVCupvl9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263719.051695	CpLFAv1GTnEXAzgPs3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263779.062263	ClKz0qJ5ymBwGXEQ8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263839.039643	CAEBLD1V9mDZk4Sr33	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263899.054120	C0DA5xbf68OwRSNDi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826263959.041272	CT4gVe4JQxU1lpjbxd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264019.043036	Cr99aZ2SQJL9pV4M6i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264079.045815	CCX4nk48P90wL9sGUc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264139.057337	CO2TH53bmHbMqFTKIi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264199.045453	CDH3Bb4pfhCgxZZ7Cd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264259.045283	CPqSPV2EAN595SZ41i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264319.054863	CO6fRn4oMY3U3w3ZOc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264379.061528	CMYYb93AfdZHMJoLB9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264439.057460	Cfxoou1AfEV2xbA5J3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264499.047530	CBPmOofpONOLBLYA8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264559.049322	C607QE1P73OofKZLN2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264619.060880	Cy9aayKSvJardwEX9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264679.071437	CDyyQm1chEsUtJBqa4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264739.055629	Ch2VagbhGnB9XL7Ya	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264799.057424	CUI9kc1p0Lsi0Teo55	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264859.057263	C2sZK6P0Zwav4MrEg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264919.058088	CjUcQF4l3XYuAc7isb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826264979.062782	C3dObr3kUfbLSgYqmh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826265039.054836	CSNGEt44Q4fDyYVMfc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826265099.056628	CgROTd339EcgYpkOIg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267019.094978	CF6DDC49oJOP6iZEwb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267079.081091	CzAiZn3YHMDcQKv9gh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267139.076009	CKAugx4mq0i2UPNv9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267199.081708	CqXGvh34OkSuvlcFea	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267319.084284	Cxirul1AWTgzzgYqr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267379.081202	C5zJOeZvYIh2LlcJa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267439.082032	Cy6Qed1rkQGBMtusQ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267499.082824	CcuBF7iXVFHoJPvnj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267559.080678	CBWif54cCvr1uOdzbe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267619.117602	CBBACQ2NPBXPQrLZ7k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267679.082308	C0bNAT3DuWZqvT9e1f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267739.085073	CgWcND2z7RSGiu1ye7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267799.084918	CrX1sX1VaypsXLTbr1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267859.091594	CzCxJQq2Q4kUGCwc8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267919.092401	C4RDoM1e81njBCuZj2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826267979.095153	COp1RGXGyqrYbpyv7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268039.092073	CPiR5W178l1ZieBcI1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268099.101672	CZ8rnPgwqZYysOAX7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268159.091753	CKDfjN1Cxm8H1L0452	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268219.127714	CUvHLH6CjP9wZISrj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268279.089493	CH8O224kTZZhduNVfe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268339.241580	CtA1qN231ehR3uzI1k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268399.095944	CG1FcX3Jylij1IDWUe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268459.097696	CAr0pH2oqNIx0J5GR6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268519.100469	CH9yD42ahLqLSEzaZ	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268579.100299	CrUI5ZngGZpeHL3R5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268639.100120	COWs7f23IgWi96GG3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268699.104832	CoUjp81Tth5NwjdQsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268759.094878	CNWTlB3PnYOJ4UZ2mg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268819.097657	C7uwyl2a0ZTlJo00Lk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268879.097488	CY1TzN3c5gr8Qwm4zf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268939.103179	CkmPWy2DatT7Mvsyol	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826268999.132280	C9PixE3TiIsCjHyLhg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269059.100881	CzzZJo2Q2qhFuPkmRk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269119.099763	CCfVWJ3g4VqWGa1rFf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269179.100583	CsVVjv2c1z3rHtQKA6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269239.111149	CLSCY520Hq6xvF0fI	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269299.439902	ClsJq01FkUGWxoI466	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269359.264070	CseLbe25Y4yK5qiHi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269419.120439	CKSxt712SMotWW6WJi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269479.103684	C7AVYb4E5rSYVL6hDd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269539.222577	CXVoeW2p29uPw2CgZh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269599.267269	CKtwBn4lWXlSJaz8Nc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269659.148995	CuYUW83jW28z6fyCA9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269719.104862	Cf2WZt17cTYcVdZTH3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269779.127139	CJqqqoMwwVs7dBPC8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269839.115267	CQ4g5F1S3Xl47S4AP2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269899.113179	CykPpyX1eSKR43Hj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826269959.112020	CDPWkv13HYOH3ENYq3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270019.108940	ClrvLpCyl1LsmcQR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270079.151713	CCet9E1gbYXnaf0B43	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270139.112488	CGP6ux6pdH2jzJEFi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270199.132810	C3Voaf4idLBEDDpZyd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270259.112162	CR5OpZ2bEXxvNvfD5i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270319.135418	CieCYj4bE24XdhSuTc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270379.141103	CCpWj53lOPacWg1bR3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270439.127287	CFDMQkVECU57h3PX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270499.117371	CTvEBA1GwAFEQ1fjm3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270559.123058	CY2Z1tURavHUbUsy8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270619.126776	CCOnGH1MGQc7p0hN8d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270679.121718	CtPvk43UibkEHmOw1j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270739.130345	CJaGT94Ti4s2luIMBc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270799.119478	Cg83M931pmrV8GC0pi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270859.127121	CeAGrg4I3hgwLQ9ped	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270919.123056	CnlrR03oJaOWrN097j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826270979.122865	CRTFq64xkdFnctAKwc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271039.124649	CGem7d3XR2QHHSOYji	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271099.126441	C024Nj4HWnhFJ81M64	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271159.258051	CfXmNjBJp75foJpd9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271219.127113	CrEayz1eD9GTrz8Y53	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271279.124989	Ci0nfuMIEuVJmt7i8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271339.312208	CwsHTI1VV3Mapq3JUf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271399.140270	CXxqku2XyO459abgNl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271459.141075	ClV2Sz3Wbm2KI3Aykf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271519.250200	COSa6z2GfzPVC6IU7l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271579.409125	CyhFOF3AlU5ldWAh51	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271639.133701	CTphQUC6FsQ7Pc3c6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271699.173537	CvIRDa2JIcPTHwOzD	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271759.143099	CkRhH311OHJC37qwP5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271819.143934	Cs80ki2gw3ZytSkSk1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271879.135946	CVNNMTmRHQ1nmgEr6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271939.145541	CDjsA92jGnIrWwmen	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826271999.175638	CEGAU41fmLzfokibz5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272059.134518	Cgjnxj2FGUGghGjl0g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272119.147027	CzwqRq2ZMdFDXF7SSl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272179.165321	CNIYow3aGTpZG5Lwff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272239.165094	C0wxrC2oh2NvdLyS2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272299.148322	CsBX9J35z92vlcc5Z1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272359.146201	CzNwjLPsNsM5MP0b7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272419.156786	CPoAWZ1q59HEVrHqt2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272479.147862	CcFZ1DMmH4Nw9VdA7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272539.253121	CgcnPS1gdTOrnw73Zd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272599.142672	CXZWtR28FmUuBpdqMj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272659.190310	CL66cY39eyJmt1Szwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272719.281883	CmmJ8M2LjmU3sNn5pk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272779.149966	CexyGR3qdZc1xNIlTd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272839.205443	C1X2YU2QoT1gqr8JGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272899.287243	CRegG14xprok8xywBe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826272959.229489	CIEsOI2X4FKkTFo2uk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273019.146353	C09mmO3bRbx57NjpJ1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273079.280873	Cdl6oMv1BHLtMDkV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273139.194825	CfJ5112KWuVskZ0HJ2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273199.225903	CqLMPBGsbXRdtUtQ7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273259.252096	C8X5DR17Hp9bfaVBdb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273319.162128	CzIyAr31qz9bGarR0h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273379.159026	CZoZfy4czV3zClMiNb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273439.171553	CaDWHm3kTkHanHl1Gh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273499.155754	Cyishs4sgq9fNoXtK4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273559.177995	C9vudbOXZQA9B0CW9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273619.166103	Ch46Sp1V5dGKgYqFc5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273679.164928	CwSmt25rkIZHOqkja	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273739.212569	COsTdi1CSKBNLzMNu4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273799.387098	C9E0icOq6OYbw9WG9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273859.390835	CroGWq1fXDMZPsmVs5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273919.382854	CUn5h1Nqv4CEGGAza	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826273979.901520	CuhG1h1RTDzEEmRU7b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274039.467417	CfFJ4v3zIzUo6M3aVg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274099.227156	Cz86KB4aTGSyVoJfSb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274159.250414	CsZJnj3MWxJnAxYXKh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274220.639673	CmjbXo4l1XsezwjWic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274279.311579	CRaMZf3BznfsodvVuh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274339.187456	CTqWBu4i1kiTEKkOnb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274399.171677	C6Uunp3wuIvKv5wCug	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274459.276903	CK3xaF4wb9wWDbGe25	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274519.208411	CHj1F46MnKcTFnDPa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274579.166270	CBzXmb1R4jNIY08Ue4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274639.178783	CKscZhpQ5DQNRPt7a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274699.193243	CUOgwn1CdZZoZAJCW4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274759.247733	Chx588yB7Y3Ru71Ka	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274819.455453	CXzXPe1HaAgcyhhWj4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274879.173217	CS9UDe3EmKAFUEvca	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274939.183773	CGaUak1pS34VtUfl3c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826274999.291933	CLAb3h3ZG3AkYlLkfh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275059.171716	CP1qFv4QrMNauss9Eb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275119.176430	CkK7ao36Yrcl7aYXKg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275179.189919	CodeXD4rZOR8P3Kaj2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275239.245368	C1TWfFlgITHbC4m68	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275299.176864	Cpw8WL1GOSYEEmxlt1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275359.180574	CiL83Si69XlCuu2m7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275419.174541	Ck9RCX1wQGgnMMV22f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275479.181199	CFnkoF2EcZr07J0aek	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275539.177143	CXbh3U3HYt17yxGp9e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275599.302874	CCr3jP2zuVd7GT81gj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275659.277325	Covt454UXFgiOAfsMe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275719.190276	C9gOrG24TBMF9W0zYj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275779.245738	ClRG6V3NIS9LSh7Lpe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275839.184073	CKOJ5O2VuUzYUqfmwj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275899.188765	C2x5R34nWHFTeyxyd2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826275959.183704	CVaXIIlxeciFQbK08	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276019.182550	CtZcpP1wCjNTf5lny1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276079.189208	CykLHOizs1YAAC4r7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276139.187077	CS1yhU1t4BtRuPqzvf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276199.201536	CD4PMw2HDWrOAeRbCk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276259.191597	CLNTxM36sAassMYSqg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276319.218739	Cyd1rn26q23XJRrYCl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276379.186349	CUNa6C3mHG9SjXRb7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276439.283767	CH4mza1CNUxcBcRRZ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276499.197714	CbLp9g2TsoMisWLkU	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276559.229740	CCZedXr40eAWuIxH6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276619.195407	C0PdT328d2kMJqfTc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276679.191323	C5kf571WImOClVUy56	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276739.195159	CxPeFc25Oaub5b9oP	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276799.217455	CMXvx01JGPUrNmLAC6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276859.244611	CKtqd72reKmsiZhfLf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276919.195650	CrJeIv2rkwLiMY1SRk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826276979.196463	CNFntL3ebatMlZICag	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826277039.286081	CQneDo2i7ixIkiwIml	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826277099.213676	CyjsiD3XC4sd6SL5Q2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826277159.197878	CJMhWzP65ZGORRDI8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826277219.225014	CXUytF1uB9h8qQ24G3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826277279.235554	CgXzbnY8ehRGnItt9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826277339.221727	CwSaTt1WOQdWARLCMc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+826277399.202051	Crxoq73mwTQ1DczsTh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
+#close	2016-06-07-00-54-15
diff --git a/testing/btest/Baseline/scripts.policy.protocols.http.header-names/http.log b/testing/btest/Baseline/scripts.policy.protocols.http.header-names/http.log
index 08ee00ffd0..def45ae028 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.http.header-names/http.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.http.header-names/http.log
@@ -3,21 +3,21 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-41-07
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types	client_header_names	server_header_names
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1300475168.784020	CRJuHdVW0XPVINV8a	141.142.220.118	48649	208.80.152.118	80	1	GET	bits.wikimedia.org	/skins-1.5/monobook/main.css	http://www.wikipedia.org/	1.1	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,VIA,X-VARNISH,LAST-MODIFIED,ETAG,VARY,CONNECTION
-1300475168.916018	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/6/63/Wikipedia-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-1300475168.916183	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-1300475168.918358	C3SfNE4BWaU4aSuwkc	141.142.220.118	49998	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/b/bd/Bookshelf-40x201_6.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-1300475168.952307	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-1300475168.952296	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-1300475168.954820	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-1300475168.962687	Cn78a440HlxuyZKs6f	141.142.220.118	35642	208.80.152.2	80	1	GET	meta.wikimedia.org	/images/wikimedia-button.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,EXPIRES,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-1300475168.975934	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-1300475168.976436	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-1300475168.979264	C3SfNE4BWaU4aSuwkc	141.142.220.118	49998	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-1300475169.014619	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-1300475169.014593	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-1300475169.014927	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
-#close	2016-01-15-18-41-07
+#open	2016-06-15-05-42-37
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types	client_header_names	server_header_names
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1300475168.784020	CRJuHdVW0XPVINV8a	141.142.220.118	48649	208.80.152.118	80	1	GET	bits.wikimedia.org	/skins-1.5/monobook/main.css	http://www.wikipedia.org/	1.1	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,VIA,X-VARNISH,LAST-MODIFIED,ETAG,VARY,CONNECTION
+1300475168.916018	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/6/63/Wikipedia-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+1300475168.916183	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+1300475168.918358	C3SfNE4BWaU4aSuwkc	141.142.220.118	49998	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/b/bd/Bookshelf-40x201_6.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+1300475168.952307	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+1300475168.952296	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+1300475168.954820	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+1300475168.962687	Cn78a440HlxuyZKs6f	141.142.220.118	35642	208.80.152.2	80	1	GET	meta.wikimedia.org	/images/wikimedia-button.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,EXPIRES,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+1300475168.975934	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+1300475168.976436	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+1300475168.979264	C3SfNE4BWaU4aSuwkc	141.142.220.118	49998	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+1300475169.014619	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+1300475169.014593	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+1300475169.014927	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
+#close	2016-06-15-05-42-37
diff --git a/testing/btest/Traces/arp-who-has.pcap b/testing/btest/Traces/arp-who-has.pcap
new file mode 100644
index 0000000000..085dddf1fe
Binary files /dev/null and b/testing/btest/Traces/arp-who-has.pcap differ
diff --git a/testing/btest/Traces/dns-caa.pcap b/testing/btest/Traces/dns-caa.pcap
new file mode 100644
index 0000000000..7409c0347b
Binary files /dev/null and b/testing/btest/Traces/dns-caa.pcap differ
diff --git a/testing/btest/Traces/dns-huge-ttl.pcap b/testing/btest/Traces/dns-huge-ttl.pcap
new file mode 100644
index 0000000000..27849b904b
Binary files /dev/null and b/testing/btest/Traces/dns-huge-ttl.pcap differ
diff --git a/testing/btest/Traces/ftp/cwd-navigation.pcap b/testing/btest/Traces/ftp/cwd-navigation.pcap
new file mode 100644
index 0000000000..0b0990c241
Binary files /dev/null and b/testing/btest/Traces/ftp/cwd-navigation.pcap differ
diff --git a/testing/btest/Traces/ftp/ftp-with-numbers-in-filename.pcap b/testing/btest/Traces/ftp/ftp-with-numbers-in-filename.pcap
new file mode 100644
index 0000000000..02b4254ef2
Binary files /dev/null and b/testing/btest/Traces/ftp/ftp-with-numbers-in-filename.pcap differ
diff --git a/testing/btest/Traces/http/http-bad-request-with-version.trace b/testing/btest/Traces/http/http-bad-request-with-version.trace
new file mode 100644
index 0000000000..6503d1b366
Binary files /dev/null and b/testing/btest/Traces/http/http-bad-request-with-version.trace differ
diff --git a/testing/btest/Traces/http/http-filename.pcap b/testing/btest/Traces/http/http-filename.pcap
new file mode 100644
index 0000000000..204c6b4005
Binary files /dev/null and b/testing/btest/Traces/http/http-filename.pcap differ
diff --git a/testing/btest/Traces/irc-basic.trace b/testing/btest/Traces/irc-basic.trace
new file mode 100644
index 0000000000..ca164f66b1
Binary files /dev/null and b/testing/btest/Traces/irc-basic.trace differ
diff --git a/testing/btest/Traces/irc-whitespace.trace b/testing/btest/Traces/irc-whitespace.trace
new file mode 100644
index 0000000000..a99af06b5e
Binary files /dev/null and b/testing/btest/Traces/irc-whitespace.trace differ
diff --git a/testing/btest/Traces/llc.pcap b/testing/btest/Traces/llc.pcap
new file mode 100644
index 0000000000..6ee9dd709b
Binary files /dev/null and b/testing/btest/Traces/llc.pcap differ
diff --git a/testing/btest/Traces/negative-time.pcap b/testing/btest/Traces/negative-time.pcap
new file mode 100644
index 0000000000..a216f1eb6e
Binary files /dev/null and b/testing/btest/Traces/negative-time.pcap differ
diff --git a/testing/btest/Traces/rfb/vnc-mac-to-linux.pcap b/testing/btest/Traces/rfb/vnc-mac-to-linux.pcap
new file mode 100644
index 0000000000..3856b94cae
Binary files /dev/null and b/testing/btest/Traces/rfb/vnc-mac-to-linux.pcap differ
diff --git a/testing/btest/Traces/rfb/vncmac.pcap b/testing/btest/Traces/rfb/vncmac.pcap
new file mode 100644
index 0000000000..026078185d
Binary files /dev/null and b/testing/btest/Traces/rfb/vncmac.pcap differ
diff --git a/testing/btest/Traces/tls/CVE-2015-3194.pcap b/testing/btest/Traces/tls/CVE-2015-3194.pcap
new file mode 100644
index 0000000000..c4a69bcc91
Binary files /dev/null and b/testing/btest/Traces/tls/CVE-2015-3194.pcap differ
diff --git a/testing/btest/Traces/tls/imap-starttls.pcap b/testing/btest/Traces/tls/imap-starttls.pcap
new file mode 100644
index 0000000000..f6bfe5458d
Binary files /dev/null and b/testing/btest/Traces/tls/imap-starttls.pcap differ
diff --git a/testing/btest/Traces/tls/telesec.pcap b/testing/btest/Traces/tls/telesec.pcap
new file mode 100644
index 0000000000..0f27b68d59
Binary files /dev/null and b/testing/btest/Traces/tls/telesec.pcap differ
diff --git a/testing/btest/Traces/tls/webrtc-stun.pcap b/testing/btest/Traces/tls/webrtc-stun.pcap
new file mode 100644
index 0000000000..6eb5f90372
Binary files /dev/null and b/testing/btest/Traces/tls/webrtc-stun.pcap differ
diff --git a/testing/btest/Traces/tls/xmpp-dialback-starttls.pcap b/testing/btest/Traces/tls/xmpp-dialback-starttls.pcap
new file mode 100644
index 0000000000..ad55c6eceb
Binary files /dev/null and b/testing/btest/Traces/tls/xmpp-dialback-starttls.pcap differ
diff --git a/testing/btest/Traces/tls/xmpp-starttls.pcap b/testing/btest/Traces/tls/xmpp-starttls.pcap
new file mode 100644
index 0000000000..b4a7ee61e1
Binary files /dev/null and b/testing/btest/Traces/tls/xmpp-starttls.pcap differ
diff --git a/testing/btest/bifs/check_subnet.bro b/testing/btest/bifs/check_subnet.bro
new file mode 100644
index 0000000000..b725cae73c
--- /dev/null
+++ b/testing/btest/bifs/check_subnet.bro
@@ -0,0 +1,39 @@
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+global testt: set[subnet] = {
+	10.0.0.0/8,
+	10.2.0.0/16,
+	10.2.0.2/31,
+	10.1.0.0/16,
+	10.3.0.0/16,
+	5.0.0.0/8,
+	5.5.0.0/25,
+	5.2.0.0/32,
+	7.2.0.0/32,
+	[2607:f8b0:4008:807::200e]/64,
+	[2607:f8b0:4007:807::200e]/64,
+	[2607:f8b0:4007:807::200e]/128
+};
+
+function check_member(s: subnet)
+	{
+	if ( s in testt )
+		print fmt("in says: %s is member", s);
+	else
+		print fmt("in says: %s is no member", s);
+
+	if ( check_subnet(s, testt) )
+		print fmt("check_subnet says: %s is member", s);
+	else
+		print fmt("check_subnet says: %s is no member", s);
+
+	}
+
+event bro_init()
+	{
+	check_member(10.2.0.2/32);
+	check_member(10.2.0.2/31);
+	check_member(10.6.0.0/9);
+	check_member(10.2.0.0/8);
+	}
diff --git a/testing/btest/bifs/filter_subnet_table.bro b/testing/btest/bifs/filter_subnet_table.bro
new file mode 100644
index 0000000000..7659096a71
--- /dev/null
+++ b/testing/btest/bifs/filter_subnet_table.bro
@@ -0,0 +1,49 @@
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+global testa: set[subnet] = {
+	10.0.0.0/8,
+	10.2.0.0/16,
+	10.2.0.2/31,
+	10.1.0.0/16,
+	10.3.0.0/16,
+	5.0.0.0/8,
+	5.5.0.0/25,
+	5.2.0.0/32,
+	7.2.0.0/32,
+	[2607:f8b0:4008:807::200e]/64,
+	[2607:f8b0:4007:807::200e]/64,
+	[2607:f8b0:4007:807::200e]/128
+};
+
+global testb: table[subnet] of string = {
+	[10.0.0.0/8] = "a",
+	[10.2.0.0/16] = "b",
+	[10.2.0.2/31] = "c",
+	[10.1.0.0/16] = "d",
+	[10.3.0.0/16] = "e",
+	[5.0.0.0/8] = "f",
+	[5.5.0.0/25] = "g",
+	[5.2.0.0/32] = "h",
+	[7.2.0.0/32] = "i",
+	[[2607:f8b0:4008:807::200e]/64] = "j",
+	[[2607:f8b0:4007:807::200e]/64] = "k",
+	[[2607:f8b0:4007:807::200e]/128] = "l"
+};
+
+
+event bro_init()
+	{
+	local c = filter_subnet_table(10.2.0.2/32, testa);
+	print c;
+	c = filter_subnet_table(10.2.0.2/32, testb);
+	print c;
+	c = filter_subnet_table(10.3.0.2/32, testb);
+	print c;
+	c = filter_subnet_table(1.0.0.0/8, testb);
+	print c;
+
+	local unspecified: table[subnet] of string = table();
+	c = filter_subnet_table(10.2.0.2/32, unspecified);
+	print c;
+	}
diff --git a/testing/btest/bifs/fmt.bro b/testing/btest/bifs/fmt.bro
index 93607c2740..7fc4dc38d7 100644
--- a/testing/btest/bifs/fmt.bro
+++ b/testing/btest/bifs/fmt.bro
@@ -65,26 +65,16 @@ event bro_init()
 	print fmt("%.3g", 3.1e+2);
 	print fmt("%.7g", 3.1e+2);
 
-	# Tests comparing "%As" and "%s" (the string length is printed instead
-	# of the string itself because the print command does its own escaping)
-	local s0 = "\x00\x07";
-	local s1 = fmt("%As", s0); # expands \x00 to "\0"
-	local s2 = fmt("%s", s0);  # expands \x00 to "\0", and \x07 to "^G"
+	# Tests of "%s" with non-printable characters (the string length is printed
+	# instead of the string itself because the print command does its own
+	# escaping)
+	local s0 = "\x00\x1f";
+	local s1 = fmt("%s", s0);
 	print |s0|;
 	print |s1|;
-	print |s2|;
-
-	s0 = "\x07\x1f";
-	s1 = fmt("%As", s0);
-	s2 = fmt("%s", s0);  # expands \x07 to "^G", and \x1f to "\x1f"
-	print |s0|;
-	print |s1|;
-	print |s2|;
 
 	s0 = "\x7f\xff";
-	s1 = fmt("%As", s0);
-	s2 = fmt("%s", s0);  # expands \x7f to "^?", and \xff to "\xff"
+	s1 = fmt("%s", s0);
 	print |s0|;
 	print |s1|;
-	print |s2|;
 	}
diff --git a/testing/btest/bifs/get_current_packet_header.bro b/testing/btest/bifs/get_current_packet_header.bro
new file mode 100644
index 0000000000..24144545ef
--- /dev/null
+++ b/testing/btest/bifs/get_current_packet_header.bro
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -C -r $TRACES/icmp/icmp6-neighbor-solicit.pcap %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options)
+	{
+	local hdr: raw_pkt_hdr = get_current_packet_header();
+	print fmt("%s", hdr);
+	}
\ No newline at end of file
diff --git a/testing/btest/bifs/haversine_distance.bro b/testing/btest/bifs/haversine_distance.bro
new file mode 100644
index 0000000000..b0a87a2c2d
--- /dev/null
+++ b/testing/btest/bifs/haversine_distance.bro
@@ -0,0 +1,30 @@
+#
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+function test(la1: double, lo1: double, la2: double, lo2: double)
+	{
+	print fmt("%.4e", haversine_distance(la1, lo1, la2, lo2));
+	}
+
+event bro_init()
+	{
+	# Test two arbitrary locations.
+	test(37.866798, -122.253601, 48.25, 11.65);
+	# Swap the order of locations to verify the distance doesn't change.
+	test(48.25, 11.65, 37.866798, -122.253601);
+
+	# Distance of one second of latitude (crossing the equator).
+	test(.0001388889, 0, -.0001388889, 0);
+
+	# Distance of one second of longitude (crossing the prime meridian).
+	test(38, 0.000138999, 38, -0.000138999);
+
+	# Distance of one minute of longitude (test extreme longitude values).
+	test(38, 180, 38, -179.98333);
+
+	# Two locations on opposite ends of the Earth.
+	test(45, -90, -45, 90);
+	# Same, but verify that extreme latitude values work.
+	test(90, 0, -90, 0);
+	}
diff --git a/testing/btest/bifs/matching_subnets.bro b/testing/btest/bifs/matching_subnets.bro
new file mode 100644
index 0000000000..87effed19f
--- /dev/null
+++ b/testing/btest/bifs/matching_subnets.bro
@@ -0,0 +1,30 @@
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+global testt: set[subnet] = {
+	10.0.0.0/8,
+	10.2.0.0/16,
+	10.2.0.2/31,
+	10.1.0.0/16,
+	10.3.0.0/16,
+	5.0.0.0/8,
+	5.5.0.0/25,
+	5.2.0.0/32,
+	7.2.0.0/32,
+	[2607:f8b0:4008:807::200e]/64,
+	[2607:f8b0:4007:807::200e]/64,
+	[2607:f8b0:4007:807::200e]/128
+};
+
+event bro_init()
+	{
+	print testt;
+	local c = matching_subnets(10.2.0.2/32, testt);
+	print c;
+	c = matching_subnets([2607:f8b0:4007:807::200e]/128, testt);
+	print c;
+	c = matching_subnets(128.0.0.1/32, testt);
+	print c;
+	c = matching_subnets(10.0.0.2/8, testt);
+	print c;
+	}
diff --git a/testing/btest/bifs/net_stats_trace.test b/testing/btest/bifs/net_stats_trace.test
index fcf3e9ba0d..cd9ee52a27 100644
--- a/testing/btest/bifs/net_stats_trace.test
+++ b/testing/btest/bifs/net_stats_trace.test
@@ -4,5 +4,5 @@
 
 event bro_done()
 	{
-	print net_stats();
+	print get_net_stats();
 	}
diff --git a/testing/btest/bifs/resource_usage.bro b/testing/btest/bifs/resource_usage.bro
deleted file mode 100644
index 5cf3f0f962..0000000000
--- a/testing/btest/bifs/resource_usage.bro
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# @TEST-EXEC: bro -b %INPUT
-
-event bro_init()
-	{
-	local a = resource_usage();
-	if ( a$version != bro_version() )
-		exit(1);
-	}
diff --git a/testing/btest/bifs/subnet_to_addr.bro b/testing/btest/bifs/subnet_to_addr.bro
new file mode 100644
index 0000000000..02bb6254e0
--- /dev/null
+++ b/testing/btest/bifs/subnet_to_addr.bro
@@ -0,0 +1,14 @@
+# @TEST-EXEC: bro -b %INPUT >output 2>error
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff error
+
+function test_to_addr(sn: subnet, expect: addr)
+	{
+	local result = subnet_to_addr(sn);
+	print fmt("subnet_to_addr(%s) = %s (%s)", sn, result,
+	          result == expect ? "SUCCESS" : "FAILURE");
+	}
+
+test_to_addr(0.0.0.0/32, 0.0.0.0);
+test_to_addr(1.2.3.4/16, 1.2.0.0);
+test_to_addr([2607:f8b0:4005:803::200e]/128, [2607:f8b0:4005:803::200e]);
diff --git a/testing/btest/bifs/subnet_version.bro b/testing/btest/bifs/subnet_version.bro
new file mode 100644
index 0000000000..1efd633f68
--- /dev/null
+++ b/testing/btest/bifs/subnet_version.bro
@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+print is_v4_subnet(1.2.3.4/16);
+print is_v4_subnet([2607:f8b0:4005:801::200e]/64);
+print is_v6_subnet(1.2.3.4/24);
+print is_v6_subnet([2607:f8b0:4005:801::200e]/12);
diff --git a/testing/btest/broker/clone_store.bro b/testing/btest/broker/clone_store.bro
index 1973595bab..1ed35826dc 100644
--- a/testing/btest/broker/clone_store.bro
+++ b/testing/btest/broker/clone_store.bro
@@ -1,8 +1,8 @@
 # @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 
-# @TEST-EXEC: btest-bg-run clone "bro -b -r $TRACES/wikipedia.trace ../clone.bro broker_port=$BROKER_PORT >clone.out"
-# @TEST-EXEC: btest-bg-run master "bro -b -r $TRACES/wikipedia.trace ../master.bro broker_port=$BROKER_PORT >master.out"
+# @TEST-EXEC: btest-bg-run clone "bro -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
+# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
 
 # @TEST-EXEC: btest-bg-wait 60
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
@@ -13,7 +13,7 @@
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of BrokerStore::Handle;
+global h: opaque of Broker::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 
@@ -21,7 +21,7 @@ global query_timeout = 30sec;
 
 function do_lookup(key: string)
 	{
-	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
+	when ( local res = Broker::lookup(h, Broker::data(key)) )
 		{
 		++key_count;
 		print "lookup", key, res;
@@ -38,15 +38,15 @@ function do_lookup(key: string)
 
 event ready()
 	{
-	h = BrokerStore::create_clone("mystore");
+	h = Broker::create_clone("mystore");
 
-	when ( local res = BrokerStore::keys(h) )
+	when ( local res = Broker::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
 		}
 	timeout query_timeout
 		{
@@ -57,9 +57,9 @@ event ready()
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_events("bro/event/ready");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/ready");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 @TEST-END-FILE
@@ -71,42 +71,42 @@ global query_timeout = 15sec;
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of BrokerStore::Handle;
+global h: opaque of Broker::Handle;
 
-function dv(d: BrokerComm::Data): BrokerComm::DataVector
+function dv(d: Broker::Data): Broker::DataVector
 	{
-	local rval: BrokerComm::DataVector;
+	local rval: Broker::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 
 global ready: event();
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = BrokerStore::create_master("mystore");
-	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
-	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
-	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
-	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
-	BrokerStore::increment(h, BrokerComm::data("one"));
-	BrokerStore::decrement(h, BrokerComm::data("two"));
-	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
-	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
-	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
-	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
+	h = Broker::create_master("mystore");
+	Broker::insert(h, Broker::data("one"), Broker::data(110));
+	Broker::insert(h, Broker::data("two"), Broker::data(223));
+	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
+	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
+	Broker::increment(h, Broker::data("one"));
+	Broker::decrement(h, Broker::data("two"));
+	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
+	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
+	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
+	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
 
-	when ( local res = BrokerStore::size(h) )
+	when ( local res = Broker::size(h) )
 		{ event ready(); }
 	timeout query_timeout
 		{
@@ -117,9 +117,9 @@ event BrokerComm::outgoing_connection_established(peer_address: string,
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::auto_event("bro/event/ready", ready);
-	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
+	Broker::enable();
+	Broker::auto_event("bro/event/ready", ready);
+	Broker::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/broker/connection_updates.bro b/testing/btest/broker/connection_updates.bro
index 1bbe90ccb5..d431a59dbe 100644
--- a/testing/btest/broker/connection_updates.bro
+++ b/testing/btest/broker/connection_updates.bro
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 
 # @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
@@ -12,22 +12,22 @@
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
-event BrokerComm::incoming_connection_broken(peer_name: string)
+event Broker::incoming_connection_broken(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_broken", peer_name;;
+	print "Broker::incoming_connection_broken", peer_name;
 	terminate();
 	}
 
@@ -37,20 +37,20 @@ event BrokerComm::incoming_connection_broken(peer_name: string)
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;;
+	print "Broker::outgoing_connection_established",
+	      peer_address, peer_port, peer_name;
 	terminate();
 	}
 
diff --git a/testing/btest/broker/data.bro b/testing/btest/broker/data.bro
index bac7242c85..49474e3a5a 100644
--- a/testing/btest/broker/data.bro
+++ b/testing/btest/broker/data.bro
@@ -1,4 +1,4 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 
 # @TEST-EXEC: bro -b %INPUT >out
 # @TEST-EXEC: btest-diff out
@@ -13,210 +13,243 @@ type bro_record : record {
 	c: count;
 };
 
-function comm_record_to_bro_record_recurse(it: opaque of BrokerComm::RecordIterator,
+function broker_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
                                            rval: bro_record,
                                            idx: count): bro_record
 	{
-	if ( BrokerComm::record_iterator_last(it) )
+	if ( Broker::record_iterator_last(it) )
 		return rval;
 
-	local field_value = BrokerComm::record_iterator_value(it);
+	local field_value = Broker::record_iterator_value(it);
 
 	if ( field_value?$d )
 		switch ( idx ) {
 		case 0:
-			rval$a = BrokerComm::refine_to_string(field_value);
+			rval$a = Broker::refine_to_string(field_value);
 			break;
 		case 1:
-			rval$b = BrokerComm::refine_to_string(field_value);
+			rval$b = Broker::refine_to_string(field_value);
 			break;
 		case 2:
-			rval$c = BrokerComm::refine_to_count(field_value);
+			rval$c = Broker::refine_to_count(field_value);
 			break;
 		};
 
 	++idx;
-	BrokerComm::record_iterator_next(it);
-	return comm_record_to_bro_record_recurse(it, rval, idx);
+	Broker::record_iterator_next(it);
+	return broker_to_bro_record_recurse(it, rval, idx);
 	}
 
-function comm_record_to_bro_record(d: BrokerComm::Data): bro_record
+function broker_to_bro_record(d: Broker::Data): bro_record
 	{
-	return comm_record_to_bro_record_recurse(BrokerComm::record_iterator(d),
+	return broker_to_bro_record_recurse(Broker::record_iterator(d),
 	                                         bro_record($c = 0), 0);
 	}
 
 function
-comm_set_to_bro_set_recurse(it: opaque of BrokerComm::SetIterator,
+broker_to_bro_set_recurse(it: opaque of Broker::SetIterator,
                             rval: bro_set): bro_set
 	{
-	if ( BrokerComm::set_iterator_last(it) )
+	if ( Broker::set_iterator_last(it) )
 		return rval;
 
-	add rval[BrokerComm::refine_to_string(BrokerComm::set_iterator_value(it))];
-	BrokerComm::set_iterator_next(it);
-	return comm_set_to_bro_set_recurse(it, rval);
+	add rval[Broker::refine_to_string(Broker::set_iterator_value(it))];
+	Broker::set_iterator_next(it);
+	return broker_to_bro_set_recurse(it, rval);
 	}
 
 
-function comm_set_to_bro_set(d: BrokerComm::Data): bro_set
+function broker_to_bro_set(d: Broker::Data): bro_set
 	{
-	return comm_set_to_bro_set_recurse(BrokerComm::set_iterator(d), bro_set());
+	return broker_to_bro_set_recurse(Broker::set_iterator(d), bro_set());
 	}
 
 function
-comm_table_to_bro_table_recurse(it: opaque of BrokerComm::TableIterator,
+broker_to_bro_table_recurse(it: opaque of Broker::TableIterator,
                                 rval: bro_table): bro_table
 	{
-	if ( BrokerComm::table_iterator_last(it) )
+	if ( Broker::table_iterator_last(it) )
 		return rval;
 
-	local item = BrokerComm::table_iterator_value(it);
-	rval[BrokerComm::refine_to_string(item$key)] = BrokerComm::refine_to_count(item$val);
-	BrokerComm::table_iterator_next(it);
-	return comm_table_to_bro_table_recurse(it, rval);
+	local item = Broker::table_iterator_value(it);
+	rval[Broker::refine_to_string(item$key)] = Broker::refine_to_count(item$val);
+	Broker::table_iterator_next(it);
+	return broker_to_bro_table_recurse(it, rval);
 	}
 
-function comm_table_to_bro_table(d: BrokerComm::Data): bro_table
+function broker_to_bro_table(d: Broker::Data): bro_table
 	{
-	return comm_table_to_bro_table_recurse(BrokerComm::table_iterator(d),
+	return broker_to_bro_table_recurse(Broker::table_iterator(d),
 	                                       bro_table());
 	}
 
-function comm_vector_to_bro_vector_recurse(it: opaque of BrokerComm::VectorIterator,
+function broker_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
                                            rval: bro_vector): bro_vector
 	{
-	if ( BrokerComm::vector_iterator_last(it) )
+	if ( Broker::vector_iterator_last(it) )
 		return rval;
 
-	rval[|rval|] = BrokerComm::refine_to_string(BrokerComm::vector_iterator_value(it));
-	BrokerComm::vector_iterator_next(it);
-	return comm_vector_to_bro_vector_recurse(it, rval);
+	rval[|rval|] = Broker::refine_to_string(Broker::vector_iterator_value(it));
+	Broker::vector_iterator_next(it);
+	return broker_to_bro_vector_recurse(it, rval);
 	}
 
-function comm_vector_to_bro_vector(d: BrokerComm::Data): bro_vector
+function broker_to_bro_vector(d: Broker::Data): bro_vector
 	{
-	return comm_vector_to_bro_vector_recurse(BrokerComm::vector_iterator(d),
+	return broker_to_bro_vector_recurse(Broker::vector_iterator(d),
 	                                         bro_vector());
 	}
 
 event bro_init()
 {
-BrokerComm::enable();
-print BrokerComm::data_type(BrokerComm::data(T));
-print BrokerComm::data_type(BrokerComm::data(+1));
-print BrokerComm::data_type(BrokerComm::data(1));
-print BrokerComm::data_type(BrokerComm::data(1.1));
-print BrokerComm::data_type(BrokerComm::data("1 (how creative)"));
-print BrokerComm::data_type(BrokerComm::data(1.1.1.1));
-print BrokerComm::data_type(BrokerComm::data(1.1.1.1/1));
-print BrokerComm::data_type(BrokerComm::data(1/udp));
-print BrokerComm::data_type(BrokerComm::data(double_to_time(1)));
-print BrokerComm::data_type(BrokerComm::data(1sec));
-print BrokerComm::data_type(BrokerComm::data(BrokerComm::BOOL));
+Broker::enable();
+
+### Print every broker data type
+
+print Broker::data_type(Broker::data(T));
+print Broker::data_type(Broker::data(+1));
+print Broker::data_type(Broker::data(1));
+print Broker::data_type(Broker::data(1.1));
+print Broker::data_type(Broker::data("1 (how creative)"));
+print Broker::data_type(Broker::data(1.1.1.1));
+print Broker::data_type(Broker::data(1.1.1.1/1));
+print Broker::data_type(Broker::data(1/udp));
+print Broker::data_type(Broker::data(double_to_time(1)));
+print Broker::data_type(Broker::data(1sec));
+print Broker::data_type(Broker::data(Broker::BOOL));
 local s: bro_set = bro_set("one", "two", "three");
 local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3);
 local v: bro_vector = bro_vector("zero", "one", "two");
 local r: bro_record = bro_record($c = 1);
-print BrokerComm::data_type(BrokerComm::data(s));
-print BrokerComm::data_type(BrokerComm::data(t));
-print BrokerComm::data_type(BrokerComm::data(v));
-print BrokerComm::data_type(BrokerComm::data(r));
+print Broker::data_type(Broker::data(s));
+print Broker::data_type(Broker::data(t));
+print Broker::data_type(Broker::data(v));
+print Broker::data_type(Broker::data(r));
 
 print "***************************";
 
-print BrokerComm::refine_to_bool(BrokerComm::data(T));
-print BrokerComm::refine_to_bool(BrokerComm::data(F));
-print BrokerComm::refine_to_int(BrokerComm::data(+1));
-print BrokerComm::refine_to_int(BrokerComm::data(+0));
-print BrokerComm::refine_to_int(BrokerComm::data(-1));
-print BrokerComm::refine_to_count(BrokerComm::data(1));
-print BrokerComm::refine_to_count(BrokerComm::data(0));
-print BrokerComm::refine_to_double(BrokerComm::data(1.1));
-print BrokerComm::refine_to_double(BrokerComm::data(-11.1));
-print BrokerComm::refine_to_string(BrokerComm::data("hello"));
-print BrokerComm::refine_to_addr(BrokerComm::data(1.2.3.4));
-print BrokerComm::refine_to_subnet(BrokerComm::data(192.168.1.1/16));
-print BrokerComm::refine_to_port(BrokerComm::data(22/tcp));
-print BrokerComm::refine_to_time(BrokerComm::data(double_to_time(42)));
-print BrokerComm::refine_to_interval(BrokerComm::data(3min));
-print BrokerComm::refine_to_enum_name(BrokerComm::data(BrokerComm::BOOL));
+### Convert a Bro value to a broker value, then print the result
 
-print "***************************";
+print Broker::refine_to_bool(Broker::data(T));
+print Broker::refine_to_bool(Broker::data(F));
+print Broker::refine_to_int(Broker::data(+1));
+print Broker::refine_to_int(Broker::data(+0));
+print Broker::refine_to_int(Broker::data(-1));
+print Broker::refine_to_count(Broker::data(1));
+print Broker::refine_to_count(Broker::data(0));
+print Broker::refine_to_double(Broker::data(1.1));
+print Broker::refine_to_double(Broker::data(-11.1));
+print Broker::refine_to_string(Broker::data("hello"));
+print Broker::refine_to_addr(Broker::data(1.2.3.4));
+print Broker::refine_to_subnet(Broker::data(192.168.1.1/16));
+print Broker::refine_to_port(Broker::data(22/tcp));
+print Broker::refine_to_time(Broker::data(double_to_time(42)));
+print Broker::refine_to_interval(Broker::data(3min));
+print Broker::refine_to_enum_name(Broker::data(Broker::BOOL));
 
-local cs = BrokerComm::data(s);
-print comm_set_to_bro_set(cs);
-cs = BrokerComm::set_create();
-print BrokerComm::set_size(cs);
-print BrokerComm::set_insert(cs, BrokerComm::data("hi"));
-print BrokerComm::set_size(cs);
-print BrokerComm::set_contains(cs, BrokerComm::data("hi"));
-print BrokerComm::set_contains(cs, BrokerComm::data("bye"));
-print BrokerComm::set_insert(cs, BrokerComm::data("bye"));
-print BrokerComm::set_size(cs);
-print BrokerComm::set_remove(cs, BrokerComm::data("hi"));
-print BrokerComm::set_size(cs);
-print BrokerComm::set_remove(cs, BrokerComm::data("hi"));
-print comm_set_to_bro_set(cs);
-BrokerComm::set_clear(cs);
-print BrokerComm::set_size(cs);
+local cs = Broker::data(s);
+print broker_to_bro_set(cs);
 
-print "***************************";
+local ct = Broker::data(t);
+print broker_to_bro_table(ct);
 
-local ct = BrokerComm::data(t);
-print comm_table_to_bro_table(ct);
-ct = BrokerComm::table_create();
-print BrokerComm::table_size(ct);
-print BrokerComm::table_insert(ct, BrokerComm::data("hi"), BrokerComm::data(42));
-print BrokerComm::table_size(ct);
-print BrokerComm::table_contains(ct, BrokerComm::data("hi"));
-print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("hi")));
-print BrokerComm::table_contains(ct, BrokerComm::data("bye"));
-print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(7));
-print BrokerComm::table_size(ct);
-print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(37));
-print BrokerComm::table_size(ct);
-print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("bye")));
-print BrokerComm::table_remove(ct, BrokerComm::data("hi"));
-print BrokerComm::table_size(ct);
+local cv = Broker::data(v);
+print broker_to_bro_vector(cv);
 
-print "***************************";
+local cr = Broker::data(r);
+print broker_to_bro_record(cr);
 
-local cv = BrokerComm::data(v);
-print comm_vector_to_bro_vector(cv);
-cv = BrokerComm::vector_create();
-print BrokerComm::vector_size(cv);
-print BrokerComm::vector_insert(cv, BrokerComm::data("hi"), 0);
-print BrokerComm::vector_insert(cv, BrokerComm::data("hello"), 1);
-print BrokerComm::vector_insert(cv, BrokerComm::data("greetings"), 2);
-print BrokerComm::vector_insert(cv, BrokerComm::data("salutations"), 1);
-print comm_vector_to_bro_vector(cv);
-print BrokerComm::vector_size(cv);
-print BrokerComm::vector_replace(cv, BrokerComm::data("bah"), 2);
-print BrokerComm::vector_lookup(cv, 2);
-print BrokerComm::vector_lookup(cv, 0);
-print comm_vector_to_bro_vector(cv);
-print BrokerComm::vector_remove(cv, 2);
-print comm_vector_to_bro_vector(cv);
-print BrokerComm::vector_size(cv);
-
-print "***************************";
-
-local cr = BrokerComm::data(r);
-print comm_record_to_bro_record(cr);
 r$a = "test";
-cr = BrokerComm::data(r);
-print comm_record_to_bro_record(cr);
+cr = Broker::data(r);
+print broker_to_bro_record(cr);
+
 r$b = "testagain";
-cr = BrokerComm::data(r);
-print comm_record_to_bro_record(cr);
-cr = BrokerComm::record_create(3);
-print BrokerComm::record_size(cr);
-print BrokerComm::record_assign(cr, BrokerComm::data("hi"), 0);
-print BrokerComm::record_assign(cr, BrokerComm::data("hello"), 1);
-print BrokerComm::record_assign(cr, BrokerComm::data(37), 2);
-print BrokerComm::record_lookup(cr, 0);
-print BrokerComm::record_lookup(cr, 1);
-print BrokerComm::record_lookup(cr, 2);
-print BrokerComm::record_size(cr);
+cr = Broker::data(r);
+print broker_to_bro_record(cr);
+
+print "***************************";
+
+### Test the broker set BIFs
+
+cs = Broker::set_create();
+print Broker::set_size(cs);
+print Broker::set_insert(cs, Broker::data("hi"));
+print Broker::set_size(cs);
+print Broker::set_contains(cs, Broker::data("hi"));
+print Broker::set_contains(cs, Broker::data("bye"));
+print Broker::set_insert(cs, Broker::data("bye"));
+print Broker::set_size(cs);
+print Broker::set_insert(cs, Broker::data("bye"));
+print Broker::set_size(cs);
+print Broker::set_remove(cs, Broker::data("hi"));
+print Broker::set_size(cs);
+print Broker::set_remove(cs, Broker::data("hi"));
+print broker_to_bro_set(cs);
+print Broker::set_clear(cs);
+print Broker::set_size(cs);
+print broker_to_bro_set(cs);
+
+print "***************************";
+
+### Test the broker table BIFs
+
+ct = Broker::table_create();
+print Broker::table_size(ct);
+print Broker::table_insert(ct, Broker::data("hi"), Broker::data(42));
+print Broker::table_size(ct);
+print Broker::table_contains(ct, Broker::data("hi"));
+print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("hi")));
+print Broker::table_contains(ct, Broker::data("bye"));
+print Broker::table_insert(ct, Broker::data("bye"), Broker::data(7));
+print Broker::table_size(ct);
+print Broker::table_insert(ct, Broker::data("bye"), Broker::data(37));
+print Broker::table_size(ct);
+print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("bye")));
+print Broker::table_remove(ct, Broker::data("hi"));
+print Broker::table_size(ct);
+print Broker::table_remove(ct, Broker::data("hi"));
+print Broker::table_size(ct);
+print Broker::table_clear(ct);
+print Broker::table_size(ct);
+print broker_to_bro_table(ct);
+
+print "***************************";
+
+### Test the broker vector BIFs
+
+cv = Broker::vector_create();
+print Broker::vector_size(cv);
+print Broker::vector_insert(cv, Broker::data("hi"), 0);
+print Broker::vector_insert(cv, Broker::data("hello"), 1);
+print Broker::vector_insert(cv, Broker::data("greetings"), 2);
+print Broker::vector_insert(cv, Broker::data("salutations"), 1);
+print broker_to_bro_vector(cv);
+print Broker::vector_size(cv);
+print Broker::vector_replace(cv, Broker::data("bah"), 2);
+print Broker::vector_lookup(cv, 2);
+print Broker::vector_lookup(cv, 0);
+print broker_to_bro_vector(cv);
+print Broker::vector_remove(cv, 2);
+print broker_to_bro_vector(cv);
+print Broker::vector_size(cv);
+print Broker::vector_clear(cv);
+print Broker::vector_size(cv);
+print broker_to_bro_vector(cv);
+
+print "***************************";
+
+### Test the broker record BIFs
+
+cr = Broker::record_create(3);
+print Broker::record_size(cr);
+print Broker::record_assign(cr, Broker::data("hi"), 0);
+print Broker::record_assign(cr, Broker::data("hello"), 1);
+print Broker::record_assign(cr, Broker::data(37), 2);
+print Broker::record_lookup(cr, 0);
+print Broker::record_lookup(cr, 1);
+print Broker::record_lookup(cr, 2);
+print Broker::record_size(cr);
+print Broker::record_assign(cr, Broker::data("goodbye"), 1);
+print Broker::record_size(cr);
+print Broker::record_lookup(cr, 1);
 }
diff --git a/testing/btest/broker/enable-and-exit.bro b/testing/btest/broker/enable-and-exit.bro
index 9f45672bb6..78800b31b0 100644
--- a/testing/btest/broker/enable-and-exit.bro
+++ b/testing/btest/broker/enable-and-exit.bro
@@ -1,4 +1,4 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 
 # @TEST-EXEC: bro -b %INPUT >output
 # @TEST-EXEC: btest-diff output
@@ -11,7 +11,7 @@ event terminate_me() {
 }
 
 event bro_init() {
-        BrokerComm::enable();
+        Broker::enable();
 
         print "1";
         schedule 1sec { terminate_me() };
diff --git a/testing/btest/broker/master_store.bro b/testing/btest/broker/master_store.bro
index 2536addc0f..09f0f82880 100644
--- a/testing/btest/broker/master_store.bro
+++ b/testing/btest/broker/master_store.bro
@@ -1,4 +1,4 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 
 # @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
 # @TEST-EXEC: btest-bg-wait 60
@@ -6,7 +6,7 @@
 
 redef exit_only_after_terminate = T;
 
-global h: opaque of BrokerStore::Handle;
+global h: opaque of Broker::Handle;
 global lookup_count = 0;
 const lookup_expect_count = 5;
 global exists_count = 0;
@@ -20,13 +20,13 @@ global query_timeout = 30sec;
 
 event test_clear()
 	{
-	BrokerStore::clear(h);
+	Broker::clear(h);
 	event test_size("after clear");
 	}
 
 event test_size(where: string)
 	{
-	when ( local res = BrokerStore::size(h) )
+	when ( local res = Broker::size(h) )
 		{
 		if ( where == "" )
 			{
@@ -52,7 +52,7 @@ event test_size(where: string)
 
 event test_keys()
 	{
-	when ( local res = BrokerStore::keys(h) )
+	when ( local res = Broker::keys(h) )
 		{
 		print fmt("keys: %s", res);
 		event test_size();
@@ -66,7 +66,7 @@ event test_keys()
 
 event test_pop(key: string)
 	{
-	when ( local lres = BrokerStore::pop_left(h, BrokerComm::data(key)) )
+	when ( local lres = Broker::pop_left(h, Broker::data(key)) )
 		{
 		print fmt("pop_left(%s): %s", key, lres);
 		++pop_count;
@@ -83,7 +83,7 @@ event test_pop(key: string)
 			event test_keys();
 		}
 
-	when ( local rres = BrokerStore::pop_right(h, BrokerComm::data(key)) )
+	when ( local rres = Broker::pop_right(h, Broker::data(key)) )
 		{
 		print fmt("pop_right(%s): %s", key, rres);
 		++pop_count;
@@ -103,7 +103,7 @@ event test_pop(key: string)
 
 function do_exists(key: string)
 	{
-	when ( local res = BrokerStore::exists(h, BrokerComm::data(key)) )
+	when ( local res = Broker::exists(h, Broker::data(key)) )
 		{
 		print fmt("exists(%s): %s", key, res);
 		++exists_count;
@@ -123,7 +123,7 @@ function do_exists(key: string)
 
 event test_erase()
 	{
-	BrokerStore::erase(h, BrokerComm::data("two"));
+	Broker::erase(h, Broker::data("two"));
 	do_exists("one");
 	do_exists("two");
 	do_exists("myset");
@@ -132,7 +132,7 @@ event test_erase()
 
 function do_lookup(key: string)
 	{
-	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
+	when ( local res = Broker::lookup(h, Broker::data(key)) )
 		{
 		print fmt("lookup(%s): %s", key, res);
 		++lookup_count;
@@ -150,29 +150,29 @@ function do_lookup(key: string)
 		}
 	}
 
-function dv(d: BrokerComm::Data): BrokerComm::DataVector
+function dv(d: Broker::Data): Broker::DataVector
 	{
-	local rval: BrokerComm::DataVector;
+	local rval: Broker::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 
 event bro_init()
 	{
-	BrokerComm::enable();
+	Broker::enable();
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = BrokerStore::create_master("master");
-	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
-	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
-	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
-	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
-	BrokerStore::increment(h, BrokerComm::data("one"));
-	BrokerStore::decrement(h, BrokerComm::data("two"));
-	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
-	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
-	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
-	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
+	h = Broker::create_master("master");
+	Broker::insert(h, Broker::data("one"), Broker::data(110));
+	Broker::insert(h, Broker::data("two"), Broker::data(223));
+	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
+	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
+	Broker::increment(h, Broker::data("one"));
+	Broker::decrement(h, Broker::data("two"));
+	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
+	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
+	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
+	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
 	do_lookup("one");
 	do_lookup("two");
 	do_lookup("myset");
diff --git a/testing/btest/broker/remote_event.test b/testing/btest/broker/remote_event.test
index 6dbf8e77a0..5118f1a5e8 100644
--- a/testing/btest/broker/remote_event.test
+++ b/testing/btest/broker/remote_event.test
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 
 # @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
@@ -18,10 +18,10 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_events("bro/event/");
-	BrokerComm::auto_event("bro/event/my_topic", auto_event_handler);
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/");
+	Broker::auto_event("bro/event/my_topic", auto_event_handler);
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 global event_count = 0;
@@ -39,8 +39,8 @@ event event_handler(msg: string, n: count)
 		}
 
 	event auto_event_handler(msg, n);
-	local args = BrokerComm::event_args(event_handler, "pong", n);
-	BrokerComm::event("bro/event/my_topic", args);
+	local args = Broker::event_args(event_handler, "pong", n);
+	Broker::send_event("bro/event/my_topic", args);
 	}
 
 @TEST-END-FILE
@@ -55,24 +55,24 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_events("bro/event/my_topic");
-	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/my_topic");
+	Broker::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global event_count = 0;
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
-	local args = BrokerComm::event_args(event_handler, "ping", event_count);
-	BrokerComm::event("bro/event/hi", args);
+	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	local args = Broker::event_args(event_handler, "ping", event_count);
+	Broker::send_event("bro/event/hi", args);
 	++event_count;
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
@@ -81,8 +81,8 @@ event BrokerComm::outgoing_connection_broken(peer_address: string,
 event event_handler(msg: string, n: count)
 	{
 	print "got event msg", msg, n;
-	local args = BrokerComm::event_args(event_handler, "ping", event_count);
-    BrokerComm::event("bro/event/hi", args);
+	local args = Broker::event_args(event_handler, "ping", event_count);
+    Broker::send_event("bro/event/hi", args);
 	++event_count;
 	}
 
diff --git a/testing/btest/broker/remote_log.test b/testing/btest/broker/remote_log.test
index d481f0ae25..5881ad6d92 100644
--- a/testing/btest/broker/remote_log.test
+++ b/testing/btest/broker/remote_log.test
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 
 # @TEST-EXEC: btest-bg-run recv "bro -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: btest-bg-run send "bro -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
@@ -19,8 +19,8 @@ export {
 
 	type Info: record {
 		msg: string &log;
-		num: count &log;
 		nolog: string &default="no";
+		num: count &log;
 	};
 
 	global log_test: event(rec: Test::Info);
@@ -28,7 +28,7 @@ export {
 
 event bro_init() &priority=5
 	{
-	BrokerComm::enable();
+	Broker::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
 	}
 
@@ -41,8 +41,8 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	BrokerComm::subscribe_to_logs("bro/log/");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::subscribe_to_logs("bro/log/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 event Test::log_test(rec: Test::Info)
@@ -62,8 +62,8 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	BrokerComm::enable_remote_logs(Test::LOG);
-	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
+	Broker::enable_remote_logs(Test::LOG);
+	Broker::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global n = 0;
@@ -80,15 +80,15 @@ event do_write()
 		}
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
+	print "Broker::outgoing_connection_established", peer_address, peer_port;
 	event do_write();
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/broker/remote_print.test b/testing/btest/broker/remote_print.test
index b6430ec3be..c64e70fedc 100644
--- a/testing/btest/broker/remote_print.test
+++ b/testing/btest/broker/remote_print.test
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 
 # @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
@@ -15,16 +15,16 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::listen(broker_port, "127.0.0.1");
-	BrokerComm::subscribe_to_prints("bro/print/");
+	Broker::enable();
+	Broker::subscribe_to_prints("bro/print/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 global messages_to_recv = 6;
 global messages_sent = 0;
 global messages_recv = 0;
 
-event BrokerComm::print_handler(msg: string)
+event Broker::print_handler(msg: string)
 	{
 	++messages_recv;
 	print "got print msg", msg;
@@ -35,7 +35,7 @@ event BrokerComm::print_handler(msg: string)
 		return;
 		}
 
-	BrokerComm::print("bro/print/my_topic", fmt("pong %d", messages_sent));
+	Broker::send_print("bro/print/my_topic", fmt("pong %d", messages_sent));
 	++messages_sent;
 	}
 
@@ -48,35 +48,35 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_prints("bro/print/my_topic");
-	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
+	Broker::enable();
+	Broker::subscribe_to_prints("bro/print/my_topic");
+	Broker::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global messages_sent = 0;
 global messages_recv = 0;
 global peer_disconnected = F;
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
-	BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event BrokerComm::print_handler(msg: string)
+event Broker::print_handler(msg: string)
 	{
 	++messages_recv;
 	print "got print msg", msg;
-	BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
 
diff --git a/testing/btest/core/ether-addrs.bro b/testing/btest/core/ether-addrs.bro
new file mode 100644
index 0000000000..2cb1d42b6f
--- /dev/null
+++ b/testing/btest/core/ether-addrs.bro
@@ -0,0 +1,11 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/wikipedia.trace %INPUT >>output
+# @TEST-EXEC: bro -C -b -r $TRACES/radiotap.pcap %INPUT >>output
+# @TEST-EXEC: btest-diff output
+
+event new_connection(c: connection)
+	{
+	if ( c$orig?$l2_addr && c$resp?$l2_addr )
+		print c$orig$l2_addr, c$resp$l2_addr;
+        else
+		print "-", "-";
+	}
diff --git a/testing/btest/core/leaks/broker/clone_store.bro b/testing/btest/core/leaks/broker/clone_store.bro
index 06df81e1d5..c3b11a7a0d 100644
--- a/testing/btest/core/leaks/broker/clone_store.bro
+++ b/testing/btest/core/leaks/broker/clone_store.bro
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leak
 
@@ -14,13 +14,13 @@
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of BrokerStore::Handle;
+global h: opaque of Broker::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 
 function do_lookup(key: string)
 	{
-	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
+	when ( local res = Broker::lookup(h, Broker::data(key)) )
 		{
 		++key_count;
 		print "lookup", key, res;
@@ -34,15 +34,15 @@ function do_lookup(key: string)
 
 event ready()
 	{
-	h = BrokerStore::create_clone("mystore");
+	h = Broker::create_clone("mystore");
 
-	when ( local res = BrokerStore::keys(h) )
+	when ( local res = Broker::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
 		}
 	timeout 10sec
 		{ print "timeout"; }
@@ -50,9 +50,9 @@ event ready()
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::listen(broker_port, "127.0.0.1");
-	BrokerComm::subscribe_to_events("bro/event/ready");
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/ready");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 @TEST-END-FILE
@@ -62,41 +62,41 @@ event bro_init()
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of BrokerStore::Handle;
+global h: opaque of Broker::Handle;
 
-function dv(d: BrokerComm::Data): BrokerComm::DataVector
+function dv(d: Broker::Data): Broker::DataVector
 	{
-	local rval: BrokerComm::DataVector;
+	local rval: Broker::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 
 global ready: event();
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
-	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
-	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
-	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
-	BrokerStore::increment(h, BrokerComm::data("one"));
-	BrokerStore::decrement(h, BrokerComm::data("two"));
-	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
-	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
-	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
-	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
+	Broker::insert(h, Broker::data("one"), Broker::data(110));
+	Broker::insert(h, Broker::data("two"), Broker::data(223));
+	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
+	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
+	Broker::increment(h, Broker::data("one"));
+	Broker::decrement(h, Broker::data("two"));
+	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
+	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
+	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
+	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
 
-	when ( local res = BrokerStore::size(h) )
+	when ( local res = Broker::size(h) )
 		{ event ready(); }
 	timeout 10sec
 		{ print "timeout"; }
@@ -104,10 +104,10 @@ event BrokerComm::outgoing_connection_established(peer_address: string,
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	h = BrokerStore::create_master("mystore");
-	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
-	BrokerComm::auto_event("bro/event/ready", ready);
+	Broker::enable();
+	Broker::auto_event("bro/event/ready", ready);
+	h = Broker::create_master("mystore");
+	Broker::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/core/leaks/broker/data.bro b/testing/btest/core/leaks/broker/data.bro
index d4f6402ae3..d67c879fbf 100644
--- a/testing/btest/core/leaks/broker/data.bro
+++ b/testing/btest/core/leaks/broker/data.bro
@@ -1,4 +1,4 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leaks
 
@@ -16,218 +16,251 @@ type bro_record : record {
 	c: count;
 };
 
-function comm_record_to_bro_record_recurse(it: opaque of BrokerComm::RecordIterator,
+function broker_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
                                            rval: bro_record,
                                            idx: count): bro_record
 	{
-	if ( BrokerComm::record_iterator_last(it) )
+	if ( Broker::record_iterator_last(it) )
 		return rval;
 
-	local field_value = BrokerComm::record_iterator_value(it);
+	local field_value = Broker::record_iterator_value(it);
 
 	if ( field_value?$d )
 		switch ( idx ) {
 		case 0:
-			rval$a = BrokerComm::refine_to_string(field_value);
+			rval$a = Broker::refine_to_string(field_value);
 			break;
 		case 1:
-			rval$b = BrokerComm::refine_to_string(field_value);
+			rval$b = Broker::refine_to_string(field_value);
 			break;
 		case 2:
-			rval$c = BrokerComm::refine_to_count(field_value);
+			rval$c = Broker::refine_to_count(field_value);
 			break;
 		};
 
 	++idx;
-	BrokerComm::record_iterator_next(it);
-	return comm_record_to_bro_record_recurse(it, rval, idx);
+	Broker::record_iterator_next(it);
+	return broker_to_bro_record_recurse(it, rval, idx);
 	}
 
-function comm_record_to_bro_record(d: BrokerComm::Data): bro_record
+function broker_to_bro_record(d: Broker::Data): bro_record
 	{
-	return comm_record_to_bro_record_recurse(BrokerComm::record_iterator(d),
+	return broker_to_bro_record_recurse(Broker::record_iterator(d),
 	                                         bro_record($c = 0), 0);
 	}
 
 function
-comm_set_to_bro_set_recurse(it: opaque of BrokerComm::SetIterator,
+broker_to_bro_set_recurse(it: opaque of Broker::SetIterator,
                             rval: bro_set): bro_set
 	{
-	if ( BrokerComm::set_iterator_last(it) )
+	if ( Broker::set_iterator_last(it) )
 		return rval;
 
-	add rval[BrokerComm::refine_to_string(BrokerComm::set_iterator_value(it))];
-	BrokerComm::set_iterator_next(it);
-	return comm_set_to_bro_set_recurse(it, rval);
+	add rval[Broker::refine_to_string(Broker::set_iterator_value(it))];
+	Broker::set_iterator_next(it);
+	return broker_to_bro_set_recurse(it, rval);
 	}
 
 
-function comm_set_to_bro_set(d: BrokerComm::Data): bro_set
+function broker_to_bro_set(d: Broker::Data): bro_set
 	{
-	return comm_set_to_bro_set_recurse(BrokerComm::set_iterator(d), bro_set());
+	return broker_to_bro_set_recurse(Broker::set_iterator(d), bro_set());
 	}
 
 function
-comm_table_to_bro_table_recurse(it: opaque of BrokerComm::TableIterator,
+broker_to_bro_table_recurse(it: opaque of Broker::TableIterator,
                                 rval: bro_table): bro_table
 	{
-	if ( BrokerComm::table_iterator_last(it) )
+	if ( Broker::table_iterator_last(it) )
 		return rval;
 
-	local item = BrokerComm::table_iterator_value(it);
-	rval[BrokerComm::refine_to_string(item$key)] = BrokerComm::refine_to_count(item$val);
-	BrokerComm::table_iterator_next(it);
-	return comm_table_to_bro_table_recurse(it, rval);
+	local item = Broker::table_iterator_value(it);
+	rval[Broker::refine_to_string(item$key)] = Broker::refine_to_count(item$val);
+	Broker::table_iterator_next(it);
+	return broker_to_bro_table_recurse(it, rval);
 	}
 
-function comm_table_to_bro_table(d: BrokerComm::Data): bro_table
+function broker_to_bro_table(d: Broker::Data): bro_table
 	{
-	return comm_table_to_bro_table_recurse(BrokerComm::table_iterator(d),
+	return broker_to_bro_table_recurse(Broker::table_iterator(d),
 	                                       bro_table());
 	}
 
-function comm_vector_to_bro_vector_recurse(it: opaque of BrokerComm::VectorIterator,
+function broker_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
                                            rval: bro_vector): bro_vector
 	{
-	if ( BrokerComm::vector_iterator_last(it) )
+	if ( Broker::vector_iterator_last(it) )
 		return rval;
 
-	rval[|rval|] = BrokerComm::refine_to_string(BrokerComm::vector_iterator_value(it));
-	BrokerComm::vector_iterator_next(it);
-	return comm_vector_to_bro_vector_recurse(it, rval);
+	rval[|rval|] = Broker::refine_to_string(Broker::vector_iterator_value(it));
+	Broker::vector_iterator_next(it);
+	return broker_to_bro_vector_recurse(it, rval);
 	}
 
-function comm_vector_to_bro_vector(d: BrokerComm::Data): bro_vector
+function broker_to_bro_vector(d: Broker::Data): bro_vector
 	{
-	return comm_vector_to_bro_vector_recurse(BrokerComm::vector_iterator(d),
+	return broker_to_bro_vector_recurse(Broker::vector_iterator(d),
 	                                         bro_vector());
 	}
 
 event bro_init()
-	{
-BrokerComm::enable();
-	}
+{
+Broker::enable();
+}
 
 global did_it = F;
 
 event new_connection(c: connection)
-	{
+{
 if ( did_it ) return;
 did_it = T;
-print BrokerComm::data_type(BrokerComm::data(T));
-print BrokerComm::data_type(BrokerComm::data(+1));
-print BrokerComm::data_type(BrokerComm::data(1));
-print BrokerComm::data_type(BrokerComm::data(1.1));
-print BrokerComm::data_type(BrokerComm::data("1 (how creative)"));
-print BrokerComm::data_type(BrokerComm::data(1.1.1.1));
-print BrokerComm::data_type(BrokerComm::data(1.1.1.1/1));
-print BrokerComm::data_type(BrokerComm::data(1/udp));
-print BrokerComm::data_type(BrokerComm::data(double_to_time(1)));
-print BrokerComm::data_type(BrokerComm::data(1sec));
-print BrokerComm::data_type(BrokerComm::data(BrokerComm::BOOL));
+
+### Print every broker data type
+
+print Broker::data_type(Broker::data(T));
+print Broker::data_type(Broker::data(+1));
+print Broker::data_type(Broker::data(1));
+print Broker::data_type(Broker::data(1.1));
+print Broker::data_type(Broker::data("1 (how creative)"));
+print Broker::data_type(Broker::data(1.1.1.1));
+print Broker::data_type(Broker::data(1.1.1.1/1));
+print Broker::data_type(Broker::data(1/udp));
+print Broker::data_type(Broker::data(double_to_time(1)));
+print Broker::data_type(Broker::data(1sec));
+print Broker::data_type(Broker::data(Broker::BOOL));
 local s: bro_set = bro_set("one", "two", "three");
 local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3);
 local v: bro_vector = bro_vector("zero", "one", "two");
 local r: bro_record = bro_record($c = 1);
-print BrokerComm::data_type(BrokerComm::data(s));
-print BrokerComm::data_type(BrokerComm::data(t));
-print BrokerComm::data_type(BrokerComm::data(v));
-print BrokerComm::data_type(BrokerComm::data(r));
+print Broker::data_type(Broker::data(s));
+print Broker::data_type(Broker::data(t));
+print Broker::data_type(Broker::data(v));
+print Broker::data_type(Broker::data(r));
 
 print "***************************";
 
-print BrokerComm::refine_to_bool(BrokerComm::data(T));
-print BrokerComm::refine_to_bool(BrokerComm::data(F));
-print BrokerComm::refine_to_int(BrokerComm::data(+1));
-print BrokerComm::refine_to_int(BrokerComm::data(+0));
-print BrokerComm::refine_to_int(BrokerComm::data(-1));
-print BrokerComm::refine_to_count(BrokerComm::data(1));
-print BrokerComm::refine_to_count(BrokerComm::data(0));
-print BrokerComm::refine_to_double(BrokerComm::data(1.1));
-print BrokerComm::refine_to_double(BrokerComm::data(-11.1));
-print BrokerComm::refine_to_string(BrokerComm::data("hello"));
-print BrokerComm::refine_to_addr(BrokerComm::data(1.2.3.4));
-print BrokerComm::refine_to_subnet(BrokerComm::data(192.168.1.1/16));
-print BrokerComm::refine_to_port(BrokerComm::data(22/tcp));
-print BrokerComm::refine_to_time(BrokerComm::data(double_to_time(42)));
-print BrokerComm::refine_to_interval(BrokerComm::data(3min));
-print BrokerComm::refine_to_enum_name(BrokerComm::data(BrokerComm::BOOL));
+### Convert a Bro value to a broker value, then print the result
 
-print "***************************";
+print Broker::refine_to_bool(Broker::data(T));
+print Broker::refine_to_bool(Broker::data(F));
+print Broker::refine_to_int(Broker::data(+1));
+print Broker::refine_to_int(Broker::data(+0));
+print Broker::refine_to_int(Broker::data(-1));
+print Broker::refine_to_count(Broker::data(1));
+print Broker::refine_to_count(Broker::data(0));
+print Broker::refine_to_double(Broker::data(1.1));
+print Broker::refine_to_double(Broker::data(-11.1));
+print Broker::refine_to_string(Broker::data("hello"));
+print Broker::refine_to_addr(Broker::data(1.2.3.4));
+print Broker::refine_to_subnet(Broker::data(192.168.1.1/16));
+print Broker::refine_to_port(Broker::data(22/tcp));
+print Broker::refine_to_time(Broker::data(double_to_time(42)));
+print Broker::refine_to_interval(Broker::data(3min));
+print Broker::refine_to_enum_name(Broker::data(Broker::BOOL));
 
-local cs = BrokerComm::data(s);
-print comm_set_to_bro_set(cs);
-cs = BrokerComm::set_create();
-print BrokerComm::set_size(cs);
-print BrokerComm::set_insert(cs, BrokerComm::data("hi"));
-print BrokerComm::set_size(cs);
-print BrokerComm::set_contains(cs, BrokerComm::data("hi"));
-print BrokerComm::set_contains(cs, BrokerComm::data("bye"));
-print BrokerComm::set_insert(cs, BrokerComm::data("bye"));
-print BrokerComm::set_size(cs);
-print BrokerComm::set_remove(cs, BrokerComm::data("hi"));
-print BrokerComm::set_size(cs);
-print BrokerComm::set_remove(cs, BrokerComm::data("hi"));
-print comm_set_to_bro_set(cs);
-BrokerComm::set_clear(cs);
-print BrokerComm::set_size(cs);
+local cs = Broker::data(s);
+print broker_to_bro_set(cs);
 
-print "***************************";
+local ct = Broker::data(t);
+print broker_to_bro_table(ct);
 
-local ct = BrokerComm::data(t);
-print comm_table_to_bro_table(ct);
-ct = BrokerComm::table_create();
-print BrokerComm::table_size(ct);
-print BrokerComm::table_insert(ct, BrokerComm::data("hi"), BrokerComm::data(42));
-print BrokerComm::table_size(ct);
-print BrokerComm::table_contains(ct, BrokerComm::data("hi"));
-print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("hi")));
-print BrokerComm::table_contains(ct, BrokerComm::data("bye"));
-print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(7));
-print BrokerComm::table_size(ct);
-print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(37));
-print BrokerComm::table_size(ct);
-print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("bye")));
-print BrokerComm::table_remove(ct, BrokerComm::data("hi"));
-print BrokerComm::table_size(ct);
+local cv = Broker::data(v);
+print broker_to_bro_vector(cv);
 
-print "***************************";
+local cr = Broker::data(r);
+print broker_to_bro_record(cr);
 
-local cv = BrokerComm::data(v);
-print comm_vector_to_bro_vector(cv);
-cv = BrokerComm::vector_create();
-print BrokerComm::vector_size(cv);
-print BrokerComm::vector_insert(cv, BrokerComm::data("hi"), 0);
-print BrokerComm::vector_insert(cv, BrokerComm::data("hello"), 1);
-print BrokerComm::vector_insert(cv, BrokerComm::data("greetings"), 2);
-print BrokerComm::vector_insert(cv, BrokerComm::data("salutations"), 1);
-print comm_vector_to_bro_vector(cv);
-print BrokerComm::vector_size(cv);
-print BrokerComm::vector_replace(cv, BrokerComm::data("bah"), 2);
-print BrokerComm::vector_lookup(cv, 2);
-print BrokerComm::vector_lookup(cv, 0);
-print comm_vector_to_bro_vector(cv);
-print BrokerComm::vector_remove(cv, 2);
-print comm_vector_to_bro_vector(cv);
-print BrokerComm::vector_size(cv);
-
-print "***************************";
-
-local cr = BrokerComm::data(r);
-print comm_record_to_bro_record(cr);
 r$a = "test";
-cr = BrokerComm::data(r);
-print comm_record_to_bro_record(cr);
+cr = Broker::data(r);
+print broker_to_bro_record(cr);
+
 r$b = "testagain";
-cr = BrokerComm::data(r);
-print comm_record_to_bro_record(cr);
-cr = BrokerComm::record_create(3);
-print BrokerComm::record_size(cr);
-print BrokerComm::record_assign(cr, BrokerComm::data("hi"), 0);
-print BrokerComm::record_assign(cr, BrokerComm::data("hello"), 1);
-print BrokerComm::record_assign(cr, BrokerComm::data(37), 2);
-print BrokerComm::record_lookup(cr, 0);
-print BrokerComm::record_lookup(cr, 1);
-print BrokerComm::record_lookup(cr, 2);
-print BrokerComm::record_size(cr);
+cr = Broker::data(r);
+print broker_to_bro_record(cr);
+
+print "***************************";
+
+### Test the broker set BIFs
+
+cs = Broker::set_create();
+print Broker::set_size(cs);
+print Broker::set_insert(cs, Broker::data("hi"));
+print Broker::set_size(cs);
+print Broker::set_contains(cs, Broker::data("hi"));
+print Broker::set_contains(cs, Broker::data("bye"));
+print Broker::set_insert(cs, Broker::data("bye"));
+print Broker::set_size(cs);
+print Broker::set_insert(cs, Broker::data("bye"));
+print Broker::set_size(cs);
+print Broker::set_remove(cs, Broker::data("hi"));
+print Broker::set_size(cs);
+print Broker::set_remove(cs, Broker::data("hi"));
+print broker_to_bro_set(cs);
+print Broker::set_clear(cs);
+print Broker::set_size(cs);
+print broker_to_bro_set(cs);
+
+print "***************************";
+
+### Test the broker table BIFs
+
+ct = Broker::table_create();
+print Broker::table_size(ct);
+print Broker::table_insert(ct, Broker::data("hi"), Broker::data(42));
+print Broker::table_size(ct);
+print Broker::table_contains(ct, Broker::data("hi"));
+print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("hi")));
+print Broker::table_contains(ct, Broker::data("bye"));
+print Broker::table_insert(ct, Broker::data("bye"), Broker::data(7));
+print Broker::table_size(ct);
+print Broker::table_insert(ct, Broker::data("bye"), Broker::data(37));
+print Broker::table_size(ct);
+print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("bye")));
+print Broker::table_remove(ct, Broker::data("hi"));
+print Broker::table_size(ct);
+print Broker::table_remove(ct, Broker::data("hi"));
+print Broker::table_size(ct);
+print Broker::table_clear(ct);
+print Broker::table_size(ct);
+print broker_to_bro_table(ct);
+
+print "***************************";
+
+### Test the broker vector BIFs
+
+cv = Broker::vector_create();
+print Broker::vector_size(cv);
+print Broker::vector_insert(cv, Broker::data("hi"), 0);
+print Broker::vector_insert(cv, Broker::data("hello"), 1);
+print Broker::vector_insert(cv, Broker::data("greetings"), 2);
+print Broker::vector_insert(cv, Broker::data("salutations"), 1);
+print broker_to_bro_vector(cv);
+print Broker::vector_size(cv);
+print Broker::vector_replace(cv, Broker::data("bah"), 2);
+print Broker::vector_lookup(cv, 2);
+print Broker::vector_lookup(cv, 0);
+print broker_to_bro_vector(cv);
+print Broker::vector_remove(cv, 2);
+print broker_to_bro_vector(cv);
+print Broker::vector_size(cv);
+print Broker::vector_clear(cv);
+print Broker::vector_size(cv);
+print broker_to_bro_vector(cv);
+
+print "***************************";
+
+### Test the broker record BIFs
+
+cr = Broker::record_create(3);
+print Broker::record_size(cr);
+print Broker::record_assign(cr, Broker::data("hi"), 0);
+print Broker::record_assign(cr, Broker::data("hello"), 1);
+print Broker::record_assign(cr, Broker::data(37), 2);
+print Broker::record_lookup(cr, 0);
+print Broker::record_lookup(cr, 1);
+print Broker::record_lookup(cr, 2);
+print Broker::record_size(cr);
+print Broker::record_assign(cr, Broker::data("goodbye"), 1);
+print Broker::record_size(cr);
+print Broker::record_lookup(cr, 1);
 }
diff --git a/testing/btest/core/leaks/broker/master_store.bro b/testing/btest/core/leaks/broker/master_store.bro
index 19c63236f5..11f32b49ae 100644
--- a/testing/btest/core/leaks/broker/master_store.bro
+++ b/testing/btest/core/leaks/broker/master_store.bro
@@ -1,4 +1,4 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leaks
 
@@ -8,7 +8,7 @@
 
 redef exit_only_after_terminate = T;
 
-global h: opaque of BrokerStore::Handle;
+global h: opaque of Broker::Handle;
 global lookup_count = 0;
 const lookup_expect_count = 5;
 global exists_count = 0;
@@ -20,13 +20,13 @@ global test_size: event(where: string &default = "");
 
 event test_clear()
 	{
-	BrokerStore::clear(h);
+	Broker::clear(h);
 	event test_size("after clear");
 	}
 
 event test_size(where: string)
 	{
-	when ( local res = BrokerStore::size(h) )
+	when ( local res = Broker::size(h) )
 		{
 		if ( where == "" )
 			{
@@ -45,7 +45,7 @@ event test_size(where: string)
 
 event test_keys()
 	{
-	when ( local res = BrokerStore::keys(h) )
+	when ( local res = Broker::keys(h) )
 		{
 		print fmt("keys: %s", res);
 		event test_size();
@@ -56,7 +56,7 @@ event test_keys()
 
 event test_pop(key: string)
 	{
-	when ( local lres = BrokerStore::pop_left(h, BrokerComm::data(key)) )
+	when ( local lres = Broker::pop_left(h, Broker::data(key)) )
 		{
 		print fmt("pop_left(%s): %s", key, lres);
 		++pop_count;
@@ -67,7 +67,7 @@ event test_pop(key: string)
 	timeout 10sec
 		{ print "timeout"; }
 
-	when ( local rres = BrokerStore::pop_right(h, BrokerComm::data(key)) )
+	when ( local rres = Broker::pop_right(h, Broker::data(key)) )
 		{
 		print fmt("pop_right(%s): %s", key, rres);
 		++pop_count;
@@ -81,7 +81,7 @@ event test_pop(key: string)
 
 function do_exists(key: string)
 	{
-	when ( local res = BrokerStore::exists(h, BrokerComm::data(key)) )
+	when ( local res = Broker::exists(h, Broker::data(key)) )
 		{
 		print fmt("exists(%s): %s", key, res);
 		++exists_count;
@@ -95,7 +95,7 @@ function do_exists(key: string)
 
 event test_erase()
 	{
-	BrokerStore::erase(h, BrokerComm::data("two"));
+	Broker::erase(h, Broker::data("two"));
 	do_exists("one");
 	do_exists("two");
 	do_exists("myset");
@@ -104,7 +104,7 @@ event test_erase()
 
 function do_lookup(key: string)
 	{
-	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
+	when ( local res = Broker::lookup(h, Broker::data(key)) )
 		{
 		print fmt("lookup(%s): %s", key, res);
 		++lookup_count;
@@ -116,9 +116,9 @@ function do_lookup(key: string)
 		{ print "timeout"; }
 	}
 
-function dv(d: BrokerComm::Data): BrokerComm::DataVector
+function dv(d: Broker::Data): Broker::DataVector
 	{
-	local rval: BrokerComm::DataVector;
+	local rval: Broker::DataVector;
 	rval[0] = d;
 	return rval;
 	}
@@ -127,8 +127,8 @@ global did_it = F;
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	h = BrokerStore::create_master("master");
+	Broker::enable();
+	h = Broker::create_master("master");
 	}
 
 event new_connection(c: connection)
@@ -137,16 +137,16 @@ event new_connection(c: connection)
 	did_it = T;
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
-	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
-	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
-	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
-	BrokerStore::increment(h, BrokerComm::data("one"));
-	BrokerStore::decrement(h, BrokerComm::data("two"));
-	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
-	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
-	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
-	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
+	Broker::insert(h, Broker::data("one"), Broker::data(110));
+	Broker::insert(h, Broker::data("two"), Broker::data(223));
+	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
+	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
+	Broker::increment(h, Broker::data("one"));
+	Broker::decrement(h, Broker::data("two"));
+	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
+	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
+	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
+	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
 	do_lookup("one");
 	do_lookup("two");
 	do_lookup("myset");
diff --git a/testing/btest/core/leaks/broker/remote_event.test b/testing/btest/core/leaks/broker/remote_event.test
index 243d3b04d3..3f63fcba76 100644
--- a/testing/btest/core/leaks/broker/remote_event.test
+++ b/testing/btest/core/leaks/broker/remote_event.test
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leak
 
@@ -20,10 +20,10 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::listen(broker_port, "127.0.0.1");
-	BrokerComm::subscribe_to_events("bro/event/");
-	BrokerComm::auto_event("bro/event/my_topic", auto_event_handler);
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/");
+	Broker::auto_event("bro/event/my_topic", auto_event_handler);
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 global event_count = 0;
@@ -41,8 +41,8 @@ event event_handler(msg: string, n: count)
 		}
 
 	event auto_event_handler(msg, n);
-	local args = BrokerComm::event_args(event_handler, "pong", n);
-	BrokerComm::event("bro/event/my_topic", args);
+	local args = Broker::event_args(event_handler, "pong", n);
+	Broker::send_event("bro/event/my_topic", args);
 	}
 
 @TEST-END-FILE
@@ -57,24 +57,24 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_events("bro/event/my_topic");
-	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/my_topic");
+	Broker::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global event_count = 0;
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
-	local args = BrokerComm::event_args(event_handler, "ping", event_count);
-	BrokerComm::event("bro/event/hi", args);
+	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	local args = Broker::event_args(event_handler, "ping", event_count);
+	Broker::send_event("bro/event/hi", args);
 	++event_count;
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
@@ -83,8 +83,8 @@ event BrokerComm::outgoing_connection_broken(peer_address: string,
 event event_handler(msg: string, n: count)
 	{
 	print "got event msg", msg, n;
-	local args = BrokerComm::event_args(event_handler, "ping", event_count);
-    BrokerComm::event("bro/event/hi", args);
+	local args = Broker::event_args(event_handler, "ping", event_count);
+	Broker::send_event("bro/event/hi", args);
 	++event_count;
 	}
 
diff --git a/testing/btest/core/leaks/broker/remote_log.test b/testing/btest/core/leaks/broker/remote_log.test
index f6c0c41fda..baeab906f1 100644
--- a/testing/btest/core/leaks/broker/remote_log.test
+++ b/testing/btest/core/leaks/broker/remote_log.test
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leak
 
@@ -29,7 +29,7 @@ export {
 
 event bro_init() &priority=5
 	{
-	BrokerComm::enable();
+	Broker::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
 	}
 
@@ -42,8 +42,8 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	BrokerComm::listen(broker_port, "127.0.0.1");
-	BrokerComm::subscribe_to_logs("bro/log/");
+	Broker::subscribe_to_logs("bro/log/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 event Test::log_test(rec: Test::Info)
@@ -63,8 +63,8 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	BrokerComm::enable_remote_logs(Test::LOG);
-	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
+	Broker::enable_remote_logs(Test::LOG);
+	Broker::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global n = 0;
@@ -81,15 +81,15 @@ event do_write()
 		}
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
+	print "Broker::outgoing_connection_established", peer_address, peer_port;
 	event do_write();
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/core/leaks/broker/remote_print.test b/testing/btest/core/leaks/broker/remote_print.test
index e77881c694..26e6317034 100644
--- a/testing/btest/core/leaks/broker/remote_print.test
+++ b/testing/btest/core/leaks/broker/remote_print.test
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leak
 
@@ -17,16 +17,16 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::listen(broker_port, "127.0.0.1");
-	BrokerComm::subscribe_to_prints("bro/print/");
+	Broker::enable();
+	Broker::subscribe_to_prints("bro/print/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 global messages_to_recv = 6;
 global messages_sent = 0;
 global messages_recv = 0;
 
-event BrokerComm::print_handler(msg: string)
+event Broker::print_handler(msg: string)
 	{
 	++messages_recv;
 	print "got print msg", msg;
@@ -37,7 +37,7 @@ event BrokerComm::print_handler(msg: string)
 		return;
 		}
 
-	BrokerComm::print("bro/print/my_topic", fmt("pong %d", messages_sent));
+	Broker::send_print("bro/print/my_topic", fmt("pong %d", messages_sent));
 	++messages_sent;
 	}
 
@@ -50,35 +50,35 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_prints("bro/print/my_topic");
-	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
+	Broker::enable();
+	Broker::subscribe_to_prints("bro/print/my_topic");
+	Broker::connect("127.0.0.1", broker_port, 1secs);
 	}
 
 global messages_sent = 0;
 global messages_recv = 0;
 global peer_disconnected = F;
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
-	BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event BrokerComm::print_handler(msg: string)
+event Broker::print_handler(msg: string)
 	{
 	++messages_recv;
 	print "got print msg", msg;
-	BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
 
diff --git a/testing/btest/core/leaks/irc.test b/testing/btest/core/leaks/irc.test
new file mode 100644
index 0000000000..7b2ac389d4
--- /dev/null
+++ b/testing/btest/core/leaks/irc.test
@@ -0,0 +1,13 @@
+# Needs perftools support.
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 60
+
+event irc_names_info(c: connection, is_orig: bool, c_type: string, channel: string, users: string_set)
+	{
+	print channel, users;
+	}
diff --git a/testing/btest/core/leaks/stats.bro b/testing/btest/core/leaks/stats.bro
new file mode 100644
index 0000000000..a3459fdc93
--- /dev/null
+++ b/testing/btest/core/leaks/stats.bro
@@ -0,0 +1,15 @@
+# Needs perftools support.
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 60
+
+@load policy/misc/stats.bro
+
+event load_sample(samples: load_sample_info, CPU: interval, dmem: int)
+	{
+	print CPU;
+	}
diff --git a/testing/btest/core/negative-time.test b/testing/btest/core/negative-time.test
new file mode 100644
index 0000000000..5717df835c
--- /dev/null
+++ b/testing/btest/core/negative-time.test
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -b -C -r $TRACES/negative-time.pcap base/frameworks/notice
+# @TEST-EXEC: btest-diff weird.log
diff --git a/testing/btest/core/recursive-event.bro b/testing/btest/core/recursive-event.bro
new file mode 100644
index 0000000000..cc7a2be8eb
--- /dev/null
+++ b/testing/btest/core/recursive-event.bro
@@ -0,0 +1,31 @@
+# @TEST-EXEC: bro %INPUT 2>&1 | grep -v termination | sort | uniq | wc -l >output
+# @TEST-EXEC: btest-diff output
+
+# In old version, the event would keep triggering endlessely, with the network
+# time not moving forward and Bro not terminating. 
+# 
+# Note that the output will be 10 (not 20) because we still execute two rounds
+# of events every time we drain.
+
+redef exit_only_after_terminate=T;
+
+global c = 0;
+
+event test()
+        {
+	c += 1;
+
+	if ( c == 20 ) 
+		{
+		terminate();
+		return;
+		}
+	
+        print network_time();
+        event test();
+        }
+
+event bro_init()
+        {
+        event test();
+        }
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest
index 042b8999f3..c4cbde045c 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest
@@ -4,19 +4,19 @@ connecting-connector.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
+	print "Broker::outgoing_connection_established",
 		  peer_address, peer_port, peer_name;
 	terminate();
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest
index 33e3df2330..8ea85569c9 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest
@@ -4,21 +4,21 @@ connecting-listener.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
-event BrokerComm::incoming_connection_broken(peer_name: string)
+event Broker::incoming_connection_broken(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_broken", peer_name;
+	print "Broker::incoming_connection_broken", peer_name;
 	terminate();
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
index fe97fdb4ce..d7a0e64be2 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
@@ -4,31 +4,31 @@ events-connector.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
-	BrokerComm::auto_event("bro/event/my_auto_event", my_auto_event);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::auto_event("bro/event/my_auto_event", my_auto_event);
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
+	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "hi", 0));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
 	event my_auto_event("stuff", 88);
-	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "...", 1));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
 	event my_auto_event("more stuff", 51);
-	BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "bye", 2));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest
index 9f004692cb..640722cac0 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest
@@ -4,21 +4,21 @@ events-listener.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 global msg_count = 0;
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_events("bro/event/");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
 event my_event(msg: string, c: count)
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest
index 6884d5e4d6..907d712c88 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest
@@ -6,16 +6,16 @@ logs-connector.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 redef Log::enable_local_logging = F;
 redef Log::enable_remote_logging = F;
 global n = 0;
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::enable_remote_logs(Test::LOG);
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	Broker::enable();
+	Broker::enable_remote_logs(Test::LOG);
+	Broker::connect("127.0.0.1", broker_port, 1sec);
 	}
 
 event do_write()
@@ -28,16 +28,16 @@ event do_write()
 	event do_write();
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
+	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
 	event do_write();
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest
index 1610bde502..de6abbf5a0 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest
@@ -6,18 +6,18 @@ logs-listener.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_logs("bro/log/Test::LOG");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_logs("bro/log/Test::LOG");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
 event Test::log_test(rec: Test::Info)
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
index 86ad4f459f..91ee179fe6 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
@@ -4,26 +4,26 @@ printing-connector.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "connector";
+redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1sec);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1sec);
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
-	print "BrokerComm::outgoing_connection_established",
+	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	BrokerComm::print("bro/print/hi", "hello");
-	BrokerComm::print("bro/print/stuff", "...");
-	BrokerComm::print("bro/print/bye", "goodbye");
+	Broker::send_print("bro/print/hi", "hello");
+	Broker::send_print("bro/print/stuff", "...");
+	Broker::send_print("bro/print/bye", "goodbye");
 	}
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest
index fb416612ab..37e4d0eae9 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest
@@ -4,22 +4,22 @@ printing-listener.bro
 
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef BrokerComm::endpoint_name = "listener";
+redef Broker::endpoint_name = "listener";
 global msg_count = 0;
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_prints("bro/print/");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_prints("bro/print/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
-event BrokerComm::incoming_connection_established(peer_name: string)
+event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "BrokerComm::incoming_connection_established", peer_name;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
-event BrokerComm::print_handler(msg: string)
+event Broker::print_handler(msg: string)
 	{
 	++msg_count;
 	print "got print message", msg;
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest
index 6ca9e3b49b..74b59467e7 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest
@@ -5,42 +5,42 @@ stores-connector.bro
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of BrokerStore::Handle;
+global h: opaque of Broker::Handle;
 
-function dv(d: BrokerComm::Data): BrokerComm::DataVector
+function dv(d: Broker::Data): Broker::DataVector
 	{
-	local rval: BrokerComm::DataVector;
+	local rval: Broker::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 
 global ready: event();
 
-event BrokerComm::outgoing_connection_broken(peer_address: string,
+event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
 	{
 	terminate();
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string,
+event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
 	{
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = BrokerStore::create_master("mystore");
-	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
-	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
-	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
-	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
-	BrokerStore::increment(h, BrokerComm::data("one"));
-	BrokerStore::decrement(h, BrokerComm::data("two"));
-	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
-	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
-	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
-	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
+	h = Broker::create_master("mystore");
+	Broker::insert(h, Broker::data("one"), Broker::data(110));
+	Broker::insert(h, Broker::data("two"), Broker::data(223));
+	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
+	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
+	Broker::increment(h, Broker::data("one"));
+	Broker::decrement(h, Broker::data("two"));
+	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
+	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
+	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
+	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
 
-	when ( local res = BrokerStore::size(h) )
+	when ( local res = Broker::size(h) )
 		{
 		print "master size", res;
 		event ready();
@@ -51,7 +51,7 @@ event BrokerComm::outgoing_connection_established(peer_address: string,
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
-	BrokerComm::auto_event("bro/event/ready", ready);
+	Broker::enable();
+	Broker::connect("127.0.0.1", broker_port, 1secs);
+	Broker::auto_event("bro/event/ready", ready);
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest
index 6942ec17d2..8dadbc803c 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest
@@ -5,13 +5,13 @@ stores-listener.bro
 const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of BrokerStore::Handle;
+global h: opaque of Broker::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 
 function do_lookup(key: string)
 	{
-	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
+	when ( local res = Broker::lookup(h, Broker::data(key)) )
 		{
 		++key_count;
 		print "lookup", key, res;
@@ -25,15 +25,15 @@ function do_lookup(key: string)
 
 event ready()
 	{
-	h = BrokerStore::create_clone("mystore");
+	h = Broker::create_clone("mystore");
 
-	when ( local res = BrokerStore::keys(h) )
+	when ( local res = Broker::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2)));
-		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
+		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
 		}
 	timeout 10sec
 		{ print "timeout"; }
@@ -41,7 +41,7 @@ event ready()
 
 event bro_init()
 	{
-	BrokerComm::enable();
-	BrokerComm::subscribe_to_events("bro/event/ready");
-	BrokerComm::listen(broker_port, "127.0.0.1");
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/ready");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest
index c87fc3cd6f..d5a92417dc 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest
@@ -17,6 +17,6 @@ export {
 
 event bro_init() &priority=5
 	{
-	BrokerComm::enable();
+	Broker::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]);
 	}
diff --git a/testing/btest/doc/sphinx/include-scripts_base_protocols_conn_main_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_type_record_bro.btest
similarity index 97%
rename from testing/btest/doc/sphinx/include-scripts_base_protocols_conn_main_bro.btest
rename to testing/btest/doc/sphinx/include-doc_scripting_data_type_record_bro.btest
index 83e9d5bea1..6d8760700a 100644
--- a/testing/btest/doc/sphinx/include-scripts_base_protocols_conn_main_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_scripting_data_type_record_bro.btest
@@ -1,6 +1,6 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 
-main.bro
+data_type_record.bro
 
 module Conn;
 
diff --git a/testing/btest/doc/sphinx/include-scripts_base_protocols_http_main_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_http_main_bro.btest
similarity index 93%
rename from testing/btest/doc/sphinx/include-scripts_base_protocols_http_main_bro.btest
rename to testing/btest/doc/sphinx/include-doc_scripting_http_main_bro.btest
index e3f7a39429..9f49450799 100644
--- a/testing/btest/doc/sphinx/include-scripts_base_protocols_http_main_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_scripting_http_main_bro.btest
@@ -1,6 +1,6 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 
-main.bro
+http_main.bro
 
 module HTTP;
 
diff --git a/testing/btest/language/event-local-var.bro b/testing/btest/language/event-local-var.bro
new file mode 100644
index 0000000000..d4dd9d19a5
--- /dev/null
+++ b/testing/btest/language/event-local-var.bro
@@ -0,0 +1,16 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT 2> out
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+
+event e1(num: count)
+	{
+	print fmt("event 1: %s", num);
+	}
+
+event bro_init()
+{
+	# Test assigning a local event variable to an event
+	local v: event(num: count);
+	v = e1;
+	schedule 1sec { v(6) };  # This should fail
+}
diff --git a/testing/btest/language/event.bro b/testing/btest/language/event.bro
index 39a3e0da48..d4eef24731 100644
--- a/testing/btest/language/event.bro
+++ b/testing/btest/language/event.bro
@@ -21,7 +21,7 @@ event e3(test: string)
 
 event e4(num: count)
 	{
-	print "assign event variable";
+	print fmt("assign event variable (%s)", num);
 	}
 
 # Note: the name of this event is intentionally the same as one above
@@ -30,6 +30,8 @@ event e3(test: string)
 	print "event part2";
 	}
 
+global e5: event(num: count);
+
 event bro_init()
 {
 	# Test calling an event with "event" statement
@@ -43,9 +45,8 @@ event bro_init()
 	event e3("foo");
 
 	# Test assigning an event variable to an event
-	local e5: event(num: count);
 	e5 = e4;
-	event e5(6);  # TODO: this does not do anything
+	event e5(6);
 }
 
 # scheduling in outside of an event handler shouldn't crash.
diff --git a/testing/btest/language/expire-expr-error.bro b/testing/btest/language/expire-expr-error.bro
new file mode 100644
index 0000000000..c355bd58ed
--- /dev/null
+++ b/testing/btest/language/expire-expr-error.bro
@@ -0,0 +1,29 @@
+# @TEST-EXEC: btest-bg-run broproc bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: cat broproc/.stderr > output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+global x: table[string] of interval;
+global data: table[int] of string &create_expire=x["kaputt"];
+
+@load frameworks/communication/listen
+
+global runs = 0;
+event do_it()
+	{
+	print fmt("Run %s", runs);
+
+	++runs;
+	if ( runs < 4 )
+		schedule 1sec { do_it() };
+	}
+
+
+event bro_init() &priority=-10
+	{
+	data[0] = "some data";
+	schedule 1sec { do_it() };
+	}
+
+
+
diff --git a/testing/btest/language/expire-func-undef.bro b/testing/btest/language/expire-func-undef.bro
new file mode 100644
index 0000000000..eb864d2390
--- /dev/null
+++ b/testing/btest/language/expire-func-undef.bro
@@ -0,0 +1,40 @@
+# @TEST-EXEC: bro -r $TRACES/rotation.trace -b %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+module segfault; 
+
+export {
+
+        global scan_summary:
+                function(t: table[addr] of set[addr], orig: addr): interval;
+
+        global distinct_peers: table[addr] of set[addr]
+                &read_expire = 7 secs &expire_func=scan_summary &redef;
+
+} 
+
+
+event new_connection(c: connection)
+{ 
+
+	local orig = c$id$orig_h ;
+	local resp = c$id$resp_h ; 
+
+
+	if (orig !in distinct_peers)
+		distinct_peers[orig]=set(); 
+	
+	if (resp !in distinct_peers[orig]) 
+		add distinct_peers[orig][resp]; 
+
+} 
+
+event bro_done()
+{
+
+	for (o in distinct_peers)
+	{ 
+		print fmt("orig: %s: peers: %s", o, distinct_peers[o]); 
+	} 
+
+} 
diff --git a/testing/btest/language/expire-redef.bro b/testing/btest/language/expire-redef.bro
new file mode 100644
index 0000000000..044e6bb950
--- /dev/null
+++ b/testing/btest/language/expire-redef.bro
@@ -0,0 +1,38 @@
+# @TEST-EXEC: btest-bg-run broproc bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: cat broproc/.stdout > output
+# @TEST-EXEC: btest-diff output
+
+
+@load frameworks/communication/listen
+
+const exp_val = -1sec &redef;
+
+global expired: function(tbl: table[int] of string, idx: int): interval;
+global data: table[int] of string &write_expire=exp_val &expire_func=expired;
+
+redef table_expire_interval = 1sec;
+redef exp_val = 3sec;
+
+global runs = 0;
+event do_it()
+	{
+	print fmt("Run %s", runs);
+
+	++runs;
+	if ( runs < 4 )
+		schedule 1sec { do_it() };
+	}
+
+
+function expired(tbl: table[int] of string, idx: int): interval
+	{
+	print fmt("Expired: %s --> %s", idx, tbl[idx]);
+	return 0sec;
+	}
+
+event bro_init() &priority=-10
+	{
+	data[0] = "some data";
+	schedule 1sec { do_it() };
+	}
diff --git a/testing/btest/language/expire-type-error.bro b/testing/btest/language/expire-type-error.bro
new file mode 100644
index 0000000000..d6d807e22f
--- /dev/null
+++ b/testing/btest/language/expire-type-error.bro
@@ -0,0 +1,6 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+global data: table[int] of string &write_expire="kaputt";
+
+
diff --git a/testing/btest/language/expire_multiple.test b/testing/btest/language/expire_multiple.test
new file mode 100644
index 0000000000..1e4aaa0975
--- /dev/null
+++ b/testing/btest/language/expire_multiple.test
@@ -0,0 +1,12 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+global s: set[string] &create_expire=1secs &read_expire=1secs;
+
+# @TEST-START-NEXT:
+
+global s: set[string] &write_expire=1secs &create_expire=3secs;
+
+# @TEST-START-NEXT:
+
+global s: set[string] &write_expire=1secs &read_expire=3secs;
diff --git a/testing/btest/language/expire_subnet.test b/testing/btest/language/expire_subnet.test
new file mode 100644
index 0000000000..12d5e56b5a
--- /dev/null
+++ b/testing/btest/language/expire_subnet.test
@@ -0,0 +1,96 @@
+# @TEST-EXEC: bro -C -r $TRACES/var-services-std-ports.trace %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+redef table_expire_interval = 1sec;
+
+global start_time: time;
+
+function time_past(): interval
+	{
+	return network_time() - start_time;
+	}
+
+function expire_nums(tbl: table[count] of string, idx: count): interval
+	{
+	print fmt("Expired Num: %s --> %s at %s", idx, tbl[idx], time_past());
+	return 0sec;
+	}
+
+function expire_nets(tbl: table[subnet] of string, idx: subnet): interval
+	{
+	print fmt("Expired Subnet: %s --> %s at %s", idx, tbl[idx], time_past());
+	return 0sec;
+	}
+
+global nums: table[count] of string &read_expire=8sec &expire_func=expire_nums;
+global nets: table[subnet] of string &read_expire=8sec &expire_func=expire_nets;
+global step: count;
+
+### Test ###
+
+function execute_test()
+	{
+	local num_a = nums[2];
+	local num_b = nums[3];
+
+	local net_a = nets[192.168.2.0/24];
+	#local net_b = nets[192.168.3.0/24];
+	local nets_b = "";
+	local nets_b_tbl: table[subnet] of string;
+
+	nets_b_tbl = filter_subnet_table(192.168.3.0/24, nets);
+	for ( idx in nets_b_tbl )
+		nets_b += cat(", ", nets_b_tbl[idx]);
+	nets_b = nets_b[2:];
+	
+	# writing resets expire as expected
+	#nets[192.168.2.0/24] = "accessed";
+	#nets[192.168.3.0/24] = "accessed";
+
+	print fmt("Accessed table nums: %s; %s", num_a, num_b);
+	print fmt("Accessed table nets: %s; %s", net_a, nets_b);
+	print fmt("Time: %s", time_past());
+	print "";
+	}
+
+### Events ###
+
+event bro_init()
+	{
+	step = 0;
+
+	nums[0] = "zero";
+	nums[1] = "one";
+	nums[2] = "two";
+	nums[3] = "three";
+	nums[4] = "four";
+
+	nets[192.168.0.0/16] = "zero";
+	nets[192.168.1.0/24] = "one";
+	nets[192.168.2.0/24] = "two";
+	nets[192.168.3.0/24] = "three";
+	nets[192.168.4.0/24] = "four";
+	}
+
+event new_packet(c: connection, p: pkt_hdr)
+	{
+	if ( step == 0 )
+		{
+		++step;
+		start_time = network_time();
+
+		print "All:";
+		for ( num in nums )
+			print fmt("%s --> %s", num, nums[num]);
+		for ( net in nets )
+			print fmt("%s --> %s", net, nets[net]);
+		print fmt("Time: %s", time_past());
+		print "";
+		}
+
+	if ( (time_past() > 7sec) && (step == 1) )
+		{
+		++step;
+		execute_test();
+		}
+	}
diff --git a/testing/btest/language/hook.bro b/testing/btest/language/hook.bro
index 9c9ab30c18..3edfd9556c 100644
--- a/testing/btest/language/hook.bro
+++ b/testing/btest/language/hook.bro
@@ -10,6 +10,8 @@ global myhook: hook(r: rec);
 global myhook2: hook(s: string);
 # a hook doesn't have to take any arguments
 global myhook4: hook();
+global myhook5: hook(s: string);
+global myhook6: hook(s: string);
 
 hook myhook(r: rec) &priority=5
 	{
@@ -72,6 +74,23 @@ hook myhook4() &priority=2
 	print "myhook4", 2;
 	}
 
+hook myhook5(s: string)
+	{
+	print "myhook5", s;
+	}
+
+hook myhook6(s: string)
+	{
+	print "myhook6", s;
+	break;
+	}
+
+function printMe(s: string): bool
+	{
+	print s;
+	return T;
+	}
+
 event bro_init()
 	{
 	print hook myhook([$a=1156, $b="hello world"]);
@@ -90,4 +109,10 @@ event bro_init()
 	# invoked directly by name.
 	local h = myhook;
 	print hook h([$a=2, $b="it works"]);
+
+	if ( hook myhook5("test") && printMe("second part ran") )
+		print "myhook5 ran";
+
+	if ( ( hook myhook6("test") ) && printMe("second part ran") )
+		print "myhook6 ran";
 	}
diff --git a/testing/btest/language/record-function-recursion.bro b/testing/btest/language/record-function-recursion.bro
new file mode 100644
index 0000000000..90832bfa69
--- /dev/null
+++ b/testing/btest/language/record-function-recursion.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -b %INPUT 2>&1 >out
+# @TEST-EXEC: btest-diff out
+
+type Outer: record {
+	id: count &optional;
+};
+
+type Inner: record {
+	create: function(input: Outer) : string;
+};
+
+redef record Outer += {
+	inner: Inner &optional;
+};
+
+event bro_init() {
+	local o = Outer();
+	print o;
+	print type_name(o);
+}
diff --git a/testing/btest/plugins/file-plugin/CMakeLists.txt b/testing/btest/plugins/file-plugin/CMakeLists.txt
index 4823ddb08f..1d0941d9da 100644
--- a/testing/btest/plugins/file-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/file-plugin/CMakeLists.txt
@@ -9,6 +9,9 @@ endif ()
 
 set(CMAKE_MODULE_PATH ${BRO_DIST}/cmake)
 
+find_package(OpenSSL)
+include_directories(${OPENSSL_INCLUDE_DIR})
+
 include(BroPlugin)
 
 bro_plugin_begin(Demo Foo)
diff --git a/testing/btest/plugins/protocol-plugin/CMakeLists.txt b/testing/btest/plugins/protocol-plugin/CMakeLists.txt
index 4bc8460c06..a10fff1d67 100644
--- a/testing/btest/plugins/protocol-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/protocol-plugin/CMakeLists.txt
@@ -9,6 +9,9 @@ endif ()
 
 set(CMAKE_MODULE_PATH ${BRO_DIST}/cmake)
 
+find_package(OpenSSL)
+include_directories(${OPENSSL_INCLUDE_DIR})
+
 include(BroPlugin)
 
 bro_plugin_begin(Demo Foo)
diff --git a/testing/btest/scripts/base/files/entropy/basic.test b/testing/btest/scripts/base/files/entropy/basic.test
new file mode 100644
index 0000000000..2b867eb8cb
--- /dev/null
+++ b/testing/btest/scripts/base/files/entropy/basic.test
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+
+event file_new(f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_ENTROPY);
+	}
+
+event file_entropy(f: fa_file, ent: entropy_test_result)
+	{
+	print ent;
+	}
\ No newline at end of file
diff --git a/testing/btest/scripts/base/files/x509/1999.test b/testing/btest/scripts/base/files/x509/1999.test
new file mode 100644
index 0000000000..7c1ab7971f
--- /dev/null
+++ b/testing/btest/scripts/base/files/x509/1999.test
@@ -0,0 +1,5 @@
+# Test that the timestamp of a pre-y-2000 certificate is correctly parsed
+
+# @TEST-EXEC: bro -r $TRACES/tls/telesec.pcap
+# @TEST-EXEC: btest-diff x509.log
+
diff --git a/testing/btest/scripts/base/frameworks/input/windows.bro b/testing/btest/scripts/base/frameworks/input/windows.bro
new file mode 100644
index 0000000000..275f5e0713
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/windows.bro
@@ -0,0 +1,64 @@
+# Test windows linebreaks
+
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff out
+
+redef exit_only_after_terminate = T;
+
+@TEST-START-FILE input.log
+#separator \x09
+#path	ssh
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	ns
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	table	table	table	vector	vector	string
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242
+@TEST-END-FILE
+
+@load base/protocols/ssh
+
+global outfile: file;
+
+redef InputAscii::empty_field = "EMPTY";
+
+module A;
+
+type Idx: record {
+	i: int;
+};
+
+type Val: record {
+	b: bool;
+	e: Log::ID;
+	c: count;
+	p: port;
+	sn: subnet;
+	a: addr;
+	d: double;
+	t: time;
+	iv: interval;
+	s: string;
+	ns: string;
+	sc: set[count];
+	ss: set[string];
+	se: set[string];
+	vc: vector of int;
+	ve: vector of int;
+};
+
+global servers: table[int] of Val = table();
+
+event bro_init()
+	{
+	outfile = open("../out");
+	# first read in the old stuff into the table...
+	Input::add_table([$source="../input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]);
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	print outfile, servers;
+	print outfile, to_count(servers[-42]$ns); # try to actually use a string. If null-termination is wrong this will fail.
+	Input::remove("ssh");
+	close(outfile);
+	terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro b/testing/btest/scripts/base/frameworks/logging/ascii-double.bro
new file mode 100644
index 0000000000..e6d9a05e28
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-double.bro
@@ -0,0 +1,29 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff test.log
+# 
+# Make sure  we do not write out scientific notation for doubles.
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		d: double &log;
+	};
+}
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Info]);
+	Log::write(Test::LOG, [$d=2153226000.0]);
+	Log::write(Test::LOG, [$d=2153226000.1]);
+	Log::write(Test::LOG, [$d=2153226000.123456789]);
+	Log::write(Test::LOG, [$d=1.0]);
+	Log::write(Test::LOG, [$d=1.1]);
+	Log::write(Test::LOG, [$d=1.123456789]);
+	Log::write(Test::LOG, [$d=1.1234]);
+	Log::write(Test::LOG, [$d=3.14e15]);
+}
+
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
new file mode 100644
index 0000000000..e131ec1dc0
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
@@ -0,0 +1,122 @@
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE send.bro
+
+@load base/frameworks/netcontrol
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event NetControl::init()
+	{
+	suspend_processing();
+	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=broker_port, $acld_topic="bro/event/netcontroltest"));
+	NetControl::activate(netcontrol_acld, 0);
+	}
+
+event NetControl::init_done()
+	{
+	continue_processing();
+	}
+
+event Broker::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	}
+
+event Broker::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+hook NetControl::acld_rule_policy(p: NetControl::PluginState, r: NetControl::Rule, ar: NetControl::AclRule)
+	{
+	# use nullzero instead of drop for address drops
+	if ( r$ty == NetControl::DROP && r$entity$ty == NetControl::ADDRESS && ar$command == "drop" )
+		ar$command = "nullzero";
+	}
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+
+	local flow1 = NetControl::Flow(
+		$src_h=addr_to_subnet(c$id$orig_h),
+		$dst_h=addr_to_subnet(c$id$resp_h)
+	);
+	local e1: NetControl::Entity = [$ty=NetControl::FLOW, $flow=flow1];
+	local r1: NetControl::Rule = [$ty=NetControl::DROP, $target=NetControl::FORWARD, $entity=e1, $expire=10hrs, $location="here"];
+
+	local flow2 = NetControl::Flow(
+		$dst_p=c$id$resp_p
+	);
+	local e2: NetControl::Entity = [$ty=NetControl::FLOW, $flow=flow2];
+	local r2: NetControl::Rule = [$ty=NetControl::DROP, $target=NetControl::FORWARD, $entity=e2, $expire=10hrs, $location="there"];
+
+	NetControl::add_rule(r1);
+	NetControl::add_rule(r2);
+	NetControl::drop_address(id$orig_h, 10hrs);
+	}
+
+event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	print "rule added", r$entity, r$ty;
+	NetControl::remove_rule(r$id);
+	}
+
+event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	print "rule removed", r$entity, r$ty;
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+@load base/frameworks/netcontrol
+@load base/frameworks/broker
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/netcontroltest");
+	Broker::listen(broker_port, "127.0.0.1");
+	}
+
+event Broker::incoming_connection_established(peer_name: string)
+	{
+	print "Broker::incoming_connection_established";
+	}
+
+event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
+	{
+	print "add_rule", id, r$entity, r$ty, ar;
+
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
+	}
+
+event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
+	{
+	print "remove_rule", id, r$entity, r$ty, ar;
+
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
+
+	if ( r$cid == 4 )
+		terminate();
+	}
+
+@TEST-END-FILE
+
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
new file mode 100644
index 0000000000..a509b23c00
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
@@ -0,0 +1,115 @@
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE send.bro
+
+@load base/frameworks/netcontrol
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event NetControl::init()
+	{
+	suspend_processing();
+	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=broker_port, $acld_topic="bro/event/netcontroltest"));
+	NetControl::activate(netcontrol_acld, 0);
+	}
+
+event Broker::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	}
+
+event NetControl::init_done()
+	{
+	continue_processing();
+	}
+
+event Broker::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+
+	local flow1 = NetControl::Flow(
+		$src_h=addr_to_subnet(c$id$orig_h),
+		$dst_h=addr_to_subnet(c$id$resp_h)
+	);
+	local e1: NetControl::Entity = [$ty=NetControl::FLOW, $flow=flow1];
+	local r1: NetControl::Rule = [$ty=NetControl::DROP, $target=NetControl::FORWARD, $entity=e1, $expire=10hrs, $location="here"];
+
+	local flow2 = NetControl::Flow(
+		$dst_p=c$id$resp_p
+	);
+	local e2: NetControl::Entity = [$ty=NetControl::FLOW, $flow=flow2];
+	local r2: NetControl::Rule = [$ty=NetControl::DROP, $target=NetControl::FORWARD, $entity=e2, $expire=10hrs, $location="there"];
+
+	NetControl::add_rule(r1);
+	NetControl::add_rule(r2);
+	NetControl::drop_address(id$orig_h, 10hrs);
+	}
+
+event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	print "rule added", r$entity, r$ty;
+	NetControl::remove_rule(r$id);
+	}
+
+event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	print "rule removed", r$entity, r$ty;
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+@load base/frameworks/netcontrol
+@load base/frameworks/broker
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/netcontroltest");
+	Broker::listen(broker_port, "127.0.0.1");
+	}
+
+event Broker::incoming_connection_established(peer_name: string)
+	{
+	print "Broker::incoming_connection_established";
+	}
+
+event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
+	{
+	print "add_rule", id, r$entity, r$ty, ar;
+
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
+	}
+
+event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
+	{
+	print "remove_rule", id, r$entity, r$ty, ar;
+
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
+
+	if ( r$cid == 4 )
+		terminate();
+	}
+
+@TEST-END-FILE
+
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
new file mode 100644
index 0000000000..5c42f0d8eb
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
@@ -0,0 +1,62 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff manager-1/netcontrol.log
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth0"],
+};
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+#redef exit_only_after_terminate = T;
+
+@load base/frameworks/netcontrol
+
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event bro_init()
+	{
+	suspend_processing();
+	}
+@endif
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event remote_connection_handshake_done(p: event_peer)
+	{
+	continue_processing();
+	}
+@endif
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 1sec);
+	NetControl::drop_address(id$orig_h, 1sec);
+	}
+
+event terminate_me() {
+	terminate();
+}
+
+event remote_connection_closed(p: event_peer) {
+	schedule 1sec { terminate_me() };
+}
+
+event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string &default="")
+	{
+	print "Rule added", r$id, r$cid;
+	}
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/basic.bro b/testing/btest/scripts/base/frameworks/netcontrol/basic.bro
new file mode 100644
index 0000000000..1efe420d73
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/basic.bro
@@ -0,0 +1,44 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff netcontrol.log
+# @TEST-EXEC: btest-diff netcontrol_shunt.log
+# @TEST-EXEC: btest-diff netcontrol_drop.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/frameworks/netcontrol
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+function test_mac_flow()
+	{
+	local flow = NetControl::Flow(
+		$src_m = "FF:FF:FF:FF:FF:FF"
+	);
+	local e: NetControl::Entity = [$ty=NetControl::FLOW, $flow=flow];
+	local r: NetControl::Rule = [$ty=NetControl::DROP, $target=NetControl::FORWARD, $entity=e, $expire=15sec];
+
+	NetControl::add_rule(r);
+	}
+
+function test_mac()
+	{
+	local e: NetControl::Entity = [$ty=NetControl::MAC, $mac="FF:FF:FF:FF:FF:FF"];
+	local r: NetControl::Rule = [$ty=NetControl::DROP, $target=NetControl::FORWARD, $entity=e, $expire=15sec];
+
+	NetControl::add_rule(r);
+	}
+
+event NetControl::init_done() &priority=-5
+	{
+	NetControl::shunt_flow([$src_h=192.168.17.1, $src_p=32/tcp, $dst_h=192.168.17.2, $dst_p=32/tcp], 30sec);
+	NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
+	NetControl::whitelist_address(1.2.3.4, 15sec);
+	NetControl::redirect_flow([$src_h=192.168.17.1, $src_p=32/tcp, $dst_h=192.168.17.2, $dst_p=32/tcp], 5, 30sec);
+	NetControl::quarantine_host(127.0.0.2, 8.8.8.8, 127.0.0.3, 15sec);
+	test_mac();
+	test_mac_flow();
+	}
+
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro b/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
new file mode 100644
index 0000000000..f9328a458d
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
@@ -0,0 +1,107 @@
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff send/netcontrol.log
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE send.bro
+
+@load base/frameworks/netcontrol
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event NetControl::init()
+	{
+	suspend_processing();
+	local netcontrol_broker = NetControl::create_broker(127.0.0.1, broker_port, "bro/event/netcontroltest", T);
+	NetControl::activate(netcontrol_broker, 0);
+	}
+
+event NetControl::init_done()
+	{
+	continue_processing();
+	}
+
+event Broker::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	}
+
+event Broker::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 10hrs);
+	NetControl::drop_address(id$orig_h, 10hrs);
+	}
+
+event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	print "rule added", r$entity, r$ty;
+	NetControl::remove_rule(r$id);
+	}
+
+event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	print "rule removed", r$entity, r$ty;
+	}
+
+event NetControl::rule_timeout(r: NetControl::Rule, i: NetControl::FlowInfo, p: NetControl::PluginState)
+	{
+	print "rule timeout", r$entity, r$ty, i;
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+@load base/frameworks/netcontrol
+@load base/frameworks/broker
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+	{
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/netcontroltest");
+	Broker::listen(broker_port, "127.0.0.1");
+	}
+
+event Broker::incoming_connection_established(peer_name: string)
+	{
+	print "Broker::incoming_connection_established";
+	}
+
+event NetControl::broker_add_rule(id: count, r: NetControl::Rule)
+	{
+	print "add_rule", id, r$entity, r$ty;
+
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_added, id, r, ""));
+	}
+
+event NetControl::broker_remove_rule(id: count, r: NetControl::Rule)
+	{
+	print "remove_rule", id, r$entity, r$ty;
+
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo()));
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_removed, id, r, ""));
+
+	if ( r$cid == 3 )
+		terminate();
+	}
+
+@TEST-END-FILE
+
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
new file mode 100644
index 0000000000..a809833ecf
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
@@ -0,0 +1,31 @@
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort' btest-diff netcontrol.log
+
+@load base/frameworks/netcontrol
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+module NetControl;
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	NetControl::drop_address_catch_release(id$orig_h);
+	# second one should be ignored because duplicate
+	NetControl::drop_address_catch_release(id$orig_h);
+
+	# mean call directly into framework - simulate new connection
+	delete current_blocks[id$orig_h];
+	check_conn(id$orig_h);
+	delete current_blocks[id$orig_h];
+	check_conn(id$orig_h);
+	delete current_blocks[id$orig_h];
+	check_conn(id$orig_h);
+	delete current_blocks[id$orig_h];
+	check_conn(id$orig_h);
+	}
+
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro b/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro
new file mode 100644
index 0000000000..9b8c995fac
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro
@@ -0,0 +1,54 @@
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+# Verify the state of internal tables after rules have been deleted...
+
+@load base/frameworks/netcontrol
+
+module NetControl;
+
+export {
+	global dump_state: function();
+}
+
+function dump_state()
+	{
+	print "Dumping state";
+	print rules;
+	print rule_entities;
+	print rules_by_subnets;
+	}
+
+module GLOBAL;
+
+global rules: vector of string;
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 10);
+	}
+
+event remove_all()
+	{
+	for ( i in rules )
+		NetControl::remove_rule(rules[i]);
+	}
+
+event dump_info()
+	{
+	NetControl::dump_state();
+	}
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	rules[|rules|] = NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 0secs);
+	rules[|rules|] = NetControl::drop_address(id$orig_h, 0secs);
+	rules[|rules|] = NetControl::whitelist_address(id$orig_h, 0secs);
+	rules[|rules|] = NetControl::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 0secs);
+
+	schedule 1sec { remove_all() };
+	schedule 2sec { dump_info() };
+	}
+
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/duplicate.bro b/testing/btest/scripts/base/frameworks/netcontrol/duplicate.bro
new file mode 100644
index 0000000000..c64bd9e16b
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/duplicate.bro
@@ -0,0 +1,15 @@
+# @TEST-EXEC: bro -b -r $TRACES/tls/google-duplicate.trace %INPUT
+# @TEST-EXEC: btest-diff netcontrol.log
+
+@load base/frameworks/netcontrol
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	NetControl::drop_address(c$id$orig_h, 0secs);
+	}
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/find-rules.bro b/testing/btest/scripts/base/frameworks/netcontrol/find-rules.bro
new file mode 100644
index 0000000000..e7bb61cc04
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/find-rules.bro
@@ -0,0 +1,34 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff out
+
+@load base/frameworks/netcontrol
+
+global outfile: file;
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+event NetControl::init_done() &priority=-5
+	{
+	NetControl::shunt_flow([$src_h=192.168.17.1, $src_p=32/tcp, $dst_h=192.168.17.2, $dst_p=32/tcp], 30sec);
+	NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
+	NetControl::whitelist_address(1.2.3.4, 15sec);
+	NetControl::redirect_flow([$src_h=192.168.17.1, $src_p=32/tcp, $dst_h=192.168.17.2, $dst_p=32/tcp], 5, 30sec);
+	NetControl::quarantine_host(127.0.0.2, 8.8.8.8, 127.0.0.3, 15sec);
+
+	outfile = open("out");
+	local rules = NetControl::find_rules_addr(1.2.3.4);
+	print outfile, |rules|;
+	print outfile, rules[0]$entity;
+	rules = NetControl::find_rules_addr(1.2.3.5);
+	print outfile, |rules|;
+	rules = NetControl::find_rules_addr(127.0.0.2);
+	print outfile, |rules|;
+	print outfile, rules[0]$entity, rules[0]$ty;
+	print outfile, rules[3]$entity, rules[3]$ty;
+	close(outfile);
+	}
+
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/hook.bro b/testing/btest/scripts/base/frameworks/netcontrol/hook.bro
new file mode 100644
index 0000000000..02056a1e0a
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/hook.bro
@@ -0,0 +1,27 @@
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: btest-diff netcontrol.log
+
+@load base/frameworks/netcontrol
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 30sec);
+	NetControl::drop_address(id$orig_h, 15sec);
+	NetControl::whitelist_address(id$orig_h, 15sec);
+	NetControl::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 30sec);
+	}
+
+hook NetControl::rule_policy(r: NetControl::Rule)
+	{
+	if ( r$expire == 15sec )
+		break;
+
+	r$entity$flow$src_h = 0.0.0.0/0;
+	}
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro b/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro
new file mode 100644
index 0000000000..56a764f2e9
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro
@@ -0,0 +1,37 @@
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort' btest-diff netcontrol.log
+# @TEST-EXEC: btest-diff openflow.log
+
+@load base/frameworks/netcontrol
+
+global rules: vector of string;
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	local netcontrol_debug_2 = NetControl::create_debug(T);
+	local of_controller = OpenFlow::log_new(42);
+	local netcontrol_of = NetControl::create_openflow(of_controller);
+	NetControl::activate(netcontrol_debug, 10);
+	NetControl::activate(netcontrol_of, 10);
+	NetControl::activate(netcontrol_debug_2, 0);
+	}
+
+event remove_all()
+	{
+	for ( i in rules )
+		NetControl::remove_rule(rules[i]);
+	}
+
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	rules[|rules|] = NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 0secs);
+	rules[|rules|] = NetControl::drop_address(id$orig_h, 0secs);
+	rules[|rules|] = NetControl::whitelist_address(id$orig_h, 0secs);
+	rules[|rules|] = NetControl::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 0secs);
+
+	schedule 1sec { remove_all() };
+	}
+
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/openflow.bro b/testing/btest/scripts/base/frameworks/netcontrol/openflow.bro
new file mode 100644
index 0000000000..36c06fcc3d
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/openflow.bro
@@ -0,0 +1,21 @@
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff netcontrol.log
+# @TEST-EXEC: btest-diff openflow.log
+
+@load base/frameworks/netcontrol
+
+global of_controller: OpenFlow::Controller;
+
+event NetControl::init()
+	{
+	of_controller = OpenFlow::log_new(42);
+	local netcontrol_of = NetControl::create_openflow(of_controller);
+	NetControl::activate(netcontrol_of, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 30sec);
+	NetControl::drop_address(id$resp_h, 15sec);
+	}
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/packetfilter.bro b/testing/btest/scripts/base/frameworks/netcontrol/packetfilter.bro
new file mode 100644
index 0000000000..46a1193a21
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/packetfilter.bro
@@ -0,0 +1,18 @@
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff conn.log
+
+@load base/frameworks/netcontrol
+
+event NetControl::init()
+	{
+	local netcontrol_packetfilter = NetControl::create_packetfilter();
+	NetControl::activate(netcontrol_packetfilter, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	local e = NetControl::Entity($ty=NetControl::ADDRESS, $ip=addr_to_subnet(c$id$orig_h));
+	local r = NetControl::Rule($ty=NetControl::DROP, $target=NetControl::MONITOR, $entity=e, $expire=10min);
+
+	NetControl::add_rule(r);
+	}
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/quarantine-openflow.bro b/testing/btest/scripts/base/frameworks/netcontrol/quarantine-openflow.bro
new file mode 100644
index 0000000000..9356253c98
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/quarantine-openflow.bro
@@ -0,0 +1,19 @@
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: btest-diff netcontrol.log
+# @TEST-EXEC: btest-diff openflow.log
+
+@load base/frameworks/netcontrol
+
+global of_controller: OpenFlow::Controller;
+
+event NetControl::init()
+	{
+	of_controller = OpenFlow::log_new(42);
+	local netcontrol_of = NetControl::create_openflow(of_controller);
+	NetControl::activate(netcontrol_of, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	NetControl::quarantine_host(c$id$orig_h, 8.8.8.8, 192.169.18.1, 10hrs);
+	}
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/timeout.bro b/testing/btest/scripts/base/frameworks/netcontrol/timeout.bro
new file mode 100644
index 0000000000..e308205ffc
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/netcontrol/timeout.bro
@@ -0,0 +1,15 @@
+# @TEST-EXEC: bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime %INPUT
+# @TEST-EXEC: btest-diff netcontrol.log
+
+@load base/frameworks/netcontrol
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	NetControl::drop_address(c$id$orig_h, 1secs);
+	}
diff --git a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro b/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro
new file mode 100644
index 0000000000..9250590013
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro
@@ -0,0 +1,120 @@
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE send.bro
+
+@load base/protocols/conn
+@load base/frameworks/openflow
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global of_controller: OpenFlow::Controller;
+
+event bro_init()
+	{
+	suspend_processing();
+	of_controller = OpenFlow::broker_new("broker1", 127.0.0.1, broker_port, "bro/event/openflow", 42);
+	}
+
+event Broker::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+	{
+	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	}
+
+event OpenFlow::controller_activated(name: string, controller: OpenFlow::Controller)
+	{
+	continue_processing();
+	OpenFlow::flow_clear(of_controller);
+	OpenFlow::flow_mod(of_controller, [], [$cookie=OpenFlow::generate_cookie(1), $command=OpenFlow::OFPFC_ADD, $actions=[$out_ports=vector(3, 7)]]);
+	}
+
+event Broker::outgoing_connection_broken(peer_address: string,
+                                       peer_port: port)
+	{
+	terminate();
+	}
+
+event connection_established(c: connection)
+	{
+	print "connection established";
+	local match = OpenFlow::match_conn(c$id);
+	local match_rev = OpenFlow::match_conn(c$id, T);
+
+	local flow_mod: OpenFlow::ofp_flow_mod = [
+		$cookie=OpenFlow::generate_cookie(42),
+		$command=OpenFlow::OFPFC_ADD,
+		$idle_timeout=30,
+		$priority=5
+	];
+
+	OpenFlow::flow_mod(of_controller, match, flow_mod);
+	OpenFlow::flow_mod(of_controller, match_rev, flow_mod);
+	}
+
+event OpenFlow::flow_mod_success(name: string, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod, msg: string)
+	{
+	print "Flow_mod_success";
+	}
+
+event OpenFlow::flow_mod_failure(name: string, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod, msg: string)
+	{
+	print "Flow_mod_failure";
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+@load base/frameworks/openflow
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+global msg_count: count = 0;
+
+event bro_init()
+	{
+	Broker::enable();
+	Broker::subscribe_to_events("bro/event/openflow");
+	Broker::listen(broker_port, "127.0.0.1");
+	}
+
+event Broker::incoming_connection_established(peer_name: string)
+	{
+	print "Broker::incoming_connection_established";
+	}
+
+function got_message()
+	{
+	++msg_count;
+
+	if ( msg_count >= 4 )
+		terminate();
+	}
+
+event OpenFlow::broker_flow_mod(name: string, dpid: count, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod)
+	{
+	print "got flow_mod", dpid, match, flow_mod;
+	Broker::send_event("bro/event/openflow", Broker::event_args(OpenFlow::flow_mod_success, name, match, flow_mod, ""));
+	Broker::send_event("bro/event/openflow", Broker::event_args(OpenFlow::flow_mod_failure, name, match, flow_mod, ""));
+	got_message();
+	}
+
+event OpenFlow::broker_flow_clear(name: string, dpid: count)
+	{
+	print "flow_clear", dpid;
+	got_message();
+	}
+
+
+@TEST-END-FILE
+
diff --git a/testing/btest/scripts/base/frameworks/openflow/log-basic.bro b/testing/btest/scripts/base/frameworks/openflow/log-basic.bro
new file mode 100644
index 0000000000..d4f08e7822
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/openflow/log-basic.bro
@@ -0,0 +1,32 @@
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff openflow.log
+
+@load base/protocols/conn
+@load base/frameworks/openflow
+
+global of_controller: OpenFlow::Controller;
+
+global cookie_id: count = 42;
+
+event bro_init()
+	{
+	of_controller = OpenFlow::log_new(42);
+
+	OpenFlow::flow_mod(of_controller, [], [$cookie=OpenFlow::generate_cookie(1), $command=OpenFlow::OFPFC_ADD, $actions=[$out_ports=vector(3, 7)]]);
+	}
+
+event connection_established(c: connection)
+	{
+	local match = OpenFlow::match_conn(c$id);
+	local match_rev = OpenFlow::match_conn(c$id, T);
+
+	local flow_mod: OpenFlow::ofp_flow_mod = [
+		$cookie=OpenFlow::generate_cookie(++cookie_id),
+		$command=OpenFlow::OFPFC_ADD,
+		$idle_timeout=30,
+		$priority=5
+	];
+
+	OpenFlow::flow_mod(of_controller, match, flow_mod);
+	OpenFlow::flow_mod(of_controller, match_rev, flow_mod);
+	}
diff --git a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro b/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
new file mode 100644
index 0000000000..cccf60cf99
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
@@ -0,0 +1,55 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/smtp.trace %INPUT"
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff manager-1/openflow.log
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+};
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+#redef exit_only_after_terminate = T;
+
+@load base/protocols/conn
+@load base/frameworks/openflow
+
+global of_controller: OpenFlow::Controller;
+
+event bro_init()
+	{
+	of_controller = OpenFlow::log_new(42);
+	}
+
+event connection_established(c: connection)
+	{
+	print "conn established";
+	local match = OpenFlow::match_conn(c$id);
+	local match_rev = OpenFlow::match_conn(c$id, T);
+
+	local flow_mod: OpenFlow::ofp_flow_mod = [
+		$cookie=OpenFlow::generate_cookie(42),
+		$command=OpenFlow::OFPFC_ADD,
+		$idle_timeout=30,
+		$priority=5
+	];
+
+	OpenFlow::flow_mod(of_controller, match, flow_mod);
+	OpenFlow::flow_mod(of_controller, match_rev, flow_mod);
+
+	terminate();
+	}
+
+event terminate_me() {
+	terminate();
+}
+
+event remote_connection_closed(p: event_peer) {
+	schedule 1sec { terminate_me() };
+}
+
diff --git a/testing/btest/scripts/base/frameworks/openflow/ryu-basic.bro b/testing/btest/scripts/base/frameworks/openflow/ryu-basic.bro
new file mode 100644
index 0000000000..3bfaa4c076
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/openflow/ryu-basic.bro
@@ -0,0 +1,37 @@
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/conn
+@load base/frameworks/openflow
+
+global of_controller: OpenFlow::Controller;
+
+event bro_init()
+	{
+	of_controller = OpenFlow::ryu_new(127.0.0.1, 8080, 42);
+	of_controller$state$ryu_debug=T;
+
+	OpenFlow::flow_clear(of_controller);
+	OpenFlow::flow_mod(of_controller, [], [$cookie=OpenFlow::generate_cookie(1), $command=OpenFlow::OFPFC_ADD, $actions=[$out_ports=vector(3, 7)]]);
+	}
+
+event connection_established(c: connection)
+	{
+	local match = OpenFlow::match_conn(c$id);
+	local match_rev = OpenFlow::match_conn(c$id, T);
+
+	local flow_mod: OpenFlow::ofp_flow_mod = [
+		$cookie=OpenFlow::generate_cookie(42),
+		$command=OpenFlow::OFPFC_ADD,
+		$idle_timeout=30,
+		$priority=5
+	];
+
+	OpenFlow::flow_mod(of_controller, match, flow_mod);
+	OpenFlow::flow_mod(of_controller, match_rev, flow_mod);
+	}
+
+event OpenFlow::flow_mod_success(name: string, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod, msg: string)
+	{
+	print "Flow_mod_success";
+	}
diff --git a/testing/btest/scripts/base/protocols/arp/basic.test b/testing/btest/scripts/base/protocols/arp/basic.test
new file mode 100644
index 0000000000..9ef1404567
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/arp/basic.test
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/arp-who-has.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
diff --git a/testing/btest/scripts/base/protocols/conn/new_connection_contents.bro b/testing/btest/scripts/base/protocols/conn/new_connection_contents.bro
new file mode 100644
index 0000000000..42919f6f13
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/conn/new_connection_contents.bro
@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event new_connection_contents(c: connection)
+	{
+	print fmt("new_connection_contents for %s", cat(c$id));
+	}
diff --git a/testing/btest/scripts/base/protocols/dns/caa.bro b/testing/btest/scripts/base/protocols/dns/caa.bro
new file mode 100644
index 0000000000..9a0f4701de
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dns/caa.bro
@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -r $TRACES/dns-caa.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event dns_CAA_reply(c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)
+	{
+	print flags,tag,value;
+	}
diff --git a/testing/btest/scripts/base/protocols/dns/huge-ttl.bro b/testing/btest/scripts/base/protocols/dns/huge-ttl.bro
new file mode 100644
index 0000000000..ee6a76e978
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dns/huge-ttl.bro
@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -r $TRACES/dns-huge-ttl.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
+	{
+	print ans;
+	}
diff --git a/testing/btest/scripts/base/protocols/ftp/cwd-navigation.bro b/testing/btest/scripts/base/protocols/ftp/cwd-navigation.bro
new file mode 100644
index 0000000000..c3c5de778a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ftp/cwd-navigation.bro
@@ -0,0 +1,12 @@
+# @TEST-EXEC: bro -r $TRACES/ftp/cwd-navigation.pcap >output.log %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ftp.log
+# @TEST-EXEC: btest-diff output.log
+
+# Make sure we're tracking the CWD correctly.
+event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &priority=10
+	{
+	print "CWD", c$ftp$cwd;
+	}
+
+
diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.bro b/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.bro
new file mode 100644
index 0000000000..4791d31460
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.bro
@@ -0,0 +1,5 @@
+# This tests extracting the server reported file size 
+# from FTP sessions.
+#
+# @TEST-EXEC: bro -r $TRACES/ftp/ftp-with-numbers-in-filename.pcap
+# @TEST-EXEC: btest-diff ftp.log
diff --git a/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.bro b/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.bro
new file mode 100644
index 0000000000..f95196e8bd
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+
diff --git a/testing/btest/scripts/base/protocols/http/http-filename.bro b/testing/btest/scripts/base/protocols/http/http-filename.bro
new file mode 100644
index 0000000000..b20bbddafe
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-filename.bro
@@ -0,0 +1,8 @@
+# This tests that the HTTP analyzer handles filenames over HTTP correctly.
+#
+# @TEST-EXEC: bro -r $TRACES/http/http-filename.pcap %INPUT
+# @TEST-EXEC: btest-diff http.log
+
+# The base analysis scripts are loaded by default.
+#@load base/protocols/http
+
diff --git a/testing/btest/scripts/base/protocols/imap/capabilities.test b/testing/btest/scripts/base/protocols/imap/capabilities.test
new file mode 100644
index 0000000000..06bdb56b7d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/imap/capabilities.test
@@ -0,0 +1,12 @@
+# @TEST-EXEC: bro -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ssl
+@load base/protocols/conn
+@load base/frameworks/dpd
+@load base/protocols/imap
+
+event imap_capabilities(c: connection, capabilities: string_vec)
+	{
+	print capabilities;
+	}
diff --git a/testing/btest/scripts/base/protocols/imap/starttls.test b/testing/btest/scripts/base/protocols/imap/starttls.test
new file mode 100644
index 0000000000..444c27688a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/imap/starttls.test
@@ -0,0 +1,15 @@
+# @TEST-EXEC: bro -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ssl
+@load base/protocols/conn
+@load base/frameworks/dpd
+@load base/protocols/imap
+
+event imap_starttls(c: connection)
+	{
+	print "Tls started for connection";
+	}
diff --git a/testing/btest/scripts/base/protocols/irc/events.test b/testing/btest/scripts/base/protocols/irc/events.test
new file mode 100644
index 0000000000..c5220b247b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/irc/events.test
@@ -0,0 +1,16 @@
+# Test IRC events
+
+# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: bro -r $TRACES/irc-basic.trace %INPUT
+# @TEST-EXEC: bro -r $TRACES/irc-whitespace.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event irc_privmsg_message(c: connection, is_orig: bool, source: string, target: string, message: string)
+	{
+	print fmt("%s -> %s: %s", source, target, message);
+	}
+
+event irc_quit_message(c: connection, is_orig: bool, nick: string, message: string)
+	{
+	print fmt("quit: %s (%s)", nick, message);
+	}
diff --git a/testing/btest/scripts/base/protocols/rfb/rfb-apple-remote-desktop.test b/testing/btest/scripts/base/protocols/rfb/rfb-apple-remote-desktop.test
new file mode 100644
index 0000000000..e4510f35fb
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/rfb/rfb-apple-remote-desktop.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -C -r $TRACES/rfb/vncmac.pcap
+# @TEST-EXEC: btest-diff rfb.log
+
+@load base/protocols/rfb
diff --git a/testing/btest/scripts/base/protocols/rfb/vnc-mac-to-linux.test b/testing/btest/scripts/base/protocols/rfb/vnc-mac-to-linux.test
new file mode 100644
index 0000000000..c9dd37f1c1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/rfb/vnc-mac-to-linux.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -C -r $TRACES/rfb/vnc-mac-to-linux.pcap
+# @TEST-EXEC: btest-diff rfb.log
+
+@load base/protocols/rfb
diff --git a/testing/btest/scripts/base/protocols/ssh/basic.test b/testing/btest/scripts/base/protocols/ssh/basic.test
index 30e726e1f5..dfa7eb0d49 100644
--- a/testing/btest/scripts/base/protocols/ssh/basic.test
+++ b/testing/btest/scripts/base/protocols/ssh/basic.test
@@ -1,4 +1,5 @@
 # This tests some SSH connections and the output log.
 
 # @TEST-EXEC: bro -r $TRACES/ssh/ssh.trace %INPUT
-# @TEST-EXEC: btest-diff ssh.log
\ No newline at end of file
+# @TEST-EXEC: btest-diff ssh.log
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/scripts/base/protocols/ssl/cve-2015-3194.test b/testing/btest/scripts/base/protocols/ssl/cve-2015-3194.test
new file mode 100644
index 0000000000..d2aa7b536f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/cve-2015-3194.test
@@ -0,0 +1,6 @@
+# This tests if Bro does not crash when exposed to CVE-2015-3194
+
+# @TEST-EXEC: bro -r $TRACES/tls/CVE-2015-3194.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+@load protocols/ssl/validate-certs.bro
diff --git a/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test b/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test
new file mode 100644
index 0000000000..e005e82e03
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test
@@ -0,0 +1,10 @@
+# @TEST-EXEC: bro -r $TRACES/tls/webrtc-stun.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: touch dpd.log
+# @TEST-EXEC: btest-diff dpd.log
+
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
+	{
+	print version, client_random, session_id, ciphers;
+	}
+
diff --git a/testing/btest/scripts/base/protocols/xmpp/client-dpd.test b/testing/btest/scripts/base/protocols/xmpp/client-dpd.test
new file mode 100644
index 0000000000..9c9cc29c8a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/xmpp/client-dpd.test
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+@load base/frameworks/dpd
+@load base/frameworks/signatures
+@load base/protocols/ssl
+@load base/protocols/conn
+@load-sigs base/protocols/xmpp/dpd.sig
diff --git a/testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test b/testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test
new file mode 100644
index 0000000000..9483c0cca8
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-dialback-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+@load base/frameworks/dpd
+@load base/frameworks/signatures
+@load base/protocols/ssl
+@load base/protocols/conn
+@load-sigs base/protocols/xmpp/dpd.sig
diff --git a/testing/btest/scripts/base/protocols/xmpp/starttls.test b/testing/btest/scripts/base/protocols/xmpp/starttls.test
new file mode 100644
index 0000000000..f046d49283
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/xmpp/starttls.test
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+
+@load base/protocols/conn
+@load base/frameworks/dpd
+@load base/protocols/ssl
+@load base/protocols/xmpp
diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro b/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro
index 2ab4c6a50a..859e3a6b9f 100644
--- a/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro
+++ b/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro
@@ -8,6 +8,7 @@
 #fields	indicator	indicator_type	meta.source	meta.desc	meta.url
 www.pantz.org	Intel::DOMAIN	source1	test entry	http://some-data-distributor.com/100000
 www.dresdner-privat.de	Intel::DOMAIN	source1	test entry	http://some-data-distributor.com/100000
+2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	source1	test entry	http://some-data-distributor.com/100000
 @TEST-END-FILE
 
 @load base/frameworks/intel
diff --git a/testing/btest/scripts/policy/misc/dump-events.bro b/testing/btest/scripts/policy/misc/dump-events.bro
index 49d3a47aee..33c9c97534 100644
--- a/testing/btest/scripts/policy/misc/dump-events.bro
+++ b/testing/btest/scripts/policy/misc/dump-events.bro
@@ -1,7 +1,18 @@
-# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro >all-events.log
-# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro DumpEvents::include_args=F >all-events-no-args.log
-# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro DumpEvents::include=/smtp_/ >smtp-events.log
-# 
+# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT >all-events.log
+# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT DumpEvents::include_args=F >all-events-no-args.log
+# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT DumpEvents::include=/smtp_/ >smtp-events.log
+#
 # @TEST-EXEC: btest-diff all-events.log
 # @TEST-EXEC: btest-diff all-events-no-args.log
 # @TEST-EXEC: btest-diff smtp-events.log
+
+# There is some kind of race condition between the MD5 and SHA1 events, which are added
+# by the SSL parser. Just remove MD5, this is not important for this test.
+
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5
+	{
+	if ( ! c?$ssl )
+		return;
+
+	Files::remove_analyzer(f, Files::ANALYZER_MD5);
+	}
diff --git a/testing/btest/scripts/policy/protocols/conn/mac-logging.bro b/testing/btest/scripts/policy/protocols/conn/mac-logging.bro
new file mode 100644
index 0000000000..a3cfbf768f
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/conn/mac-logging.bro
@@ -0,0 +1,14 @@
+# A basic test of the mac logging script
+
+# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: mv conn.log conn1.log
+# @TEST-EXEC: bro -b -C -r $TRACES/radiotap.pcap %INPUT
+# @TEST-EXEC: mv conn.log conn2.log
+# @TEST-EXEC: bro -b -C -r $TRACES/llc.pcap %INPUT
+# @TEST-EXEC: mv conn.log conn3.log
+#
+# @TEST-EXEC: btest-diff conn1.log
+# @TEST-EXEC: btest-diff conn2.log
+# @TEST-EXEC: btest-diff conn3.log
+
+@load protocols/conn/mac-logging