Merge remote-tracking branch 'origin/master' into topic/dnthayer/lang-docs

2025-10-02 14:48:21 +00:00 · 2012-12-20 14:06:36 -06:00 · 2012-12-20 14:06:36 -06:00 · 75f32093ab
commit 75f32093ab
parent 8c73e83c55 ea6b62f586
138 changed files with 1483 additions and 375 deletions
--- a/94
+++ b/94
@ -1,4 +1,98 @@

+2.1-231 | 2012-12-14 14:51:35 -0800
+
+  * Make const variables actually constant. Both local and global
+    variables declared with "const" could be modified, but now
+    expressions that would modify them generate an error message at
+    parse-time. Addresses #922. (Jon Siwek)
+
+2.1-229 | 2012-12-14 14:46:12 -0800
+
+  * Fix memory leak in ASCII reader when encoutering errors in input.
+    (Bernhard Amann)
+
+  * Improvements for the "bad checksums" detector to make it detect
+    bad TCP checksums. (Seth Hall)
+
+2.1-223 | 2012-12-12 14:25:15 -0800
+
+  * Trick for parallelizing input framework unit tests. Instead of
+    loading listen.bro to block until files are read, just read a pcap
+    file in pseudo-realtime. (Jon Siwek)
+
+  * Fix reliability of a unit test that relies on when statements.
+    (Jon Siwek)
+
+  * Remove unused attributes. (Daniel Thayer)
+        - Removed attributes &postprocessor and &match from documentation and source code.
+        - Removed undocumented attribute &attr from source code.
+        - Removed internal attribute "(&tracked)" from documentation.
+
+2.1-218 | 2012-12-10 14:45:04 -0800
+
+  * Add GPRS Tunnelling Protocol (GTPv1) decapsulation. This currently
+    supports automatic decapsulation of GTP-U packets on UDP port 2152.
+    The GTPv1 headers for such tunnels can be inspected by handling
+    the "gtpv1_g_pdu_packet" event, which has a parameter of type
+    "gtpv1_hdr". Addresses #690. (Jon Siwek; derived from patch by
+    Carsten Langer)
+
+  * Change BinPAC exceptions in AYIYA/GTP analyzers to do
+    "protocol_violation". (Jon Siwek)
+
+2.1-212 | 2012-12-07 19:42:03 -0800
+
+  * Changing the HTTP parser to accept request methods in alignment
+    with the RFC. (Robin Sommer)
+
+2.1-209 | 2012-12-05 16:44:04 -0800
+
+  * Adapting the HTTP request line parsing to only accept methods
+    consisting of letters [A-Za-z]. (Robin Sommer)
+
+2.1-207 | 2012-12-05 15:47:32 -0800
+
+  * Reporting warnings if kill/waitpid fail in communication system.
+    (Bill Parker)
+
+  * Replace() bzero with memset(). (Bill Parker)
+
+  * Merge remote-tracking branch 'vlad/topic/vladg/http-verbs'
+
+    * vlad/topic/vladg/http-verbs:
+      A test for HTTP methods, including some horribly illegal requests.
+      Remove hardcoded HTTP verbs from the analyzer (#741)
+
+    I added a "bad_HTTP_request" weird for HTTP request lines that don't
+    have more than a single word.
+
+    Closes #741. (Robin Sommer)
+
+  * A test for HTTP methods, including some horribly illegal requests. (Vlad Grigorescu)
+
+  * Remove hardcoded HTTP verbs from the analyzer (#741) (Vlad Grigorescu)
+
+
+2.1-203 | 2012-12-05 14:36:56 -0800
+
+  * Fix segfault: Synchronization of state between connecting peers
+    now skips over identifiers that aren't initialized with a value
+    yet. Addresses #66. (Jon Siwek)
+
+  * Fix segfault: Delete correct entry in error case in input
+    framework. (Bernhard Amann)
+
+  * Bad record constructor initializers now give an error. Addresses
+    #34. (Jon Siwek)
+
+  * Invalid vector indices now generate error message. Addresses #24.
+    (Jon Siwek)
+
+  * Bump CPack RPM package requirement to Python >= 2.6.0. (Jon Siwek)
+
+  * Interpreter exceptions occurring in "when" blocks are now handled.
+    Addresses #779 (Jon Siwek)
+
 2.1-195 | 2012-12-03 14:50:33 -0800

  * Catching out-of-memory in patricia tree code. (Bill Parker)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -195,7 +195,7 @@ CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI)

 if (INSTALL_BROCTL)
    # CPack RPM Generator may not automatically detect this
-    set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.4.0")
+    set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.6.0")
 endif ()

 # If this CMake project is a sub-project of another, we will not
--- a/2
+++ b/2
@ -13,6 +13,8 @@ Bro 2.2
 New Functionality
 ~~~~~~~~~~~~~~~~~

+- GPRS Tunnelling Protocol (GTPv1) decapsulation.
+
 - GridFTP support. TODO: Extend.

 - ssl.log now also records the subject client and issuer certificates.
--- a/2
+++ b/2
@ -1 +1 @@
-2.1-195
+2.1-231
--- a/aux/broccoli
+++ b/aux/broccoli
@ -1 +1 @@
-Subproject commit a8846fc5b004ffe4e3d00e826d0077ba19518192
+Subproject commit 06682dbb15d26d2688bdc9ad76efec17d38dc80f
--- a/aux/broctl
+++ b/aux/broctl
@ -1 +1 @@
-Subproject commit 834131cd0ec0f63cce9de818726fe6167dedbf34
+Subproject commit f4d6a2af15404dc1349d12d2ad21a3eebcb2ff1e
--- a/doc/scripts/builtins.rst
+++ b/doc/scripts/builtins.rst
@ -799,20 +799,12 @@ scripting language supports the following built-in attributes.
    ``&synchronized`` variable is automatically propagated to all peers
    when it changes.

-.. bro:attr:: &postprocessor
-
-.. TODO: needs to be documented.
-
 .. bro:attr:: &encrypt

    Encrypts files right before writing them to disk.

 .. TODO: needs to be documented in more detail.

-.. bro:attr:: &match
-
-.. TODO: needs to be documented.
-
 .. bro:attr:: &raw_output

    Opens a file in raw mode, i.e., non-ASCII characters are not
@ -846,6 +838,3 @@ scripting language supports the following built-in attributes.

 .. TODO: needs documented

-.. bro:attr:: (&tracked)
-
-.. TODO: needs documented or removed if it's not used anywhere.
--- a/scripts/base/frameworks/notice/cluster.bro
+++ b/scripts/base/frameworks/notice/cluster.bro
@ -21,12 +21,10 @@ redef Cluster::manager2worker_events += /Notice::begin_suppression/;
 redef Cluster::worker2manager_events += /Notice::cluster_notice/;

@if ( Cluster::local_node_type() != Cluster::MANAGER )
+
 # The notice policy is completely handled by the manager and shouldn't be 
 # done by workers or proxies to save time for packet processing.
-event bro_init() &priority=11
-	{
-	Notice::policy = table();
-	}
+redef Notice::policy = table();

 event Notice::begin_suppression(n: Notice::Info)
 	{
--- a/scripts/base/frameworks/tunnels/main.bro
+++ b/scripts/base/frameworks/tunnels/main.bro
@ -88,7 +88,10 @@ redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] };
 const teredo_ports = { 3544/udp };
 redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] };

-redef likely_server_ports += { ayiya_ports, teredo_ports };
+const gtpv1u_ports = { 2152/udp };
+redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1u_ports] };
+
+redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1u_ports };

 event bro_init() &priority=5
 	{
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -1450,6 +1450,44 @@ type teredo_hdr: record {
 	hdr:    pkt_hdr;                 ##< IPv6 and transport protocol headers.
 };

+## A GTPv1 (GPRS Tunneling Protocol) header.
+type gtpv1_hdr: record {
+	## The 3-bit version field, which for GTPv1 should be 1.
+	version:   count;
+	## Protocol Type value differentiates GTP (value 1) from GTP' (value 0).
+	pt_flag:   bool;
+	## Reserved field, should be 0.
+	rsv:       bool;
+	## Extension Header flag.  When 0, the *next_type* field may or may not
+	## be present, but shouldn't be meaningful.  When 1, *next_type* is
+	## present and meaningful.
+	e_flag:    bool;
+	## Sequence Number flag.  When 0, the *seq* field may or may not
+	## be present, but shouldn't be meaningful.  When 1, *seq* is
+	## present and meaningful.
+	s_flag:    bool;
+	## N-PDU flag.  When 0, the *n_pdu* field may or may not
+	## be present, but shouldn't be meaningful.  When 1, *n_pdu* is
+	## present and meaningful.
+	pn_flag:   bool;
+	## Message Type.  A value of 255 indicates user-plane data is encapsulated.
+	msg_type:  count;
+	## Length of the GTP packet payload (the rest of the packet following the
+	## mandatory 8-byte GTP header).
+	length:    count;
+	## Tunnel Endpoint Identifier.  Unambiguously identifies a tunnel endpoint
+	## in receiving GTP-U or GTP-C protocol entity.
+	teid:      count;
+	## Sequence Number.  Set if any *e_flag*, *s_flag*, or *pn_flag* field is
+	## set.
+	seq:       count &optional;
+	## N-PDU Number.  Set if any *e_flag*, *s_flag*, or *pn_flag* field is set.
+	n_pdu:     count &optional;
+	## Next Extension Header Type.  Set if any *e_flag*, *s_flag*, or *pn_flag*
+	## field is set.
+	next_type: count &optional;
+};
+
 ## Definition of "secondary filters". A secondary filter is a BPF filter given as
 ## index in this table. For each such filter, the corresponding event is raised for
 ## all matching packets.
@ -2786,6 +2824,9 @@ export {
 	## Toggle whether to do IPv6-in-Teredo decapsulation.
 	const enable_teredo = T &redef;

+	## Toggle whether to do GTPv1 decapsulation.
+	const enable_gtpv1 = T &redef;
+
 	## With this option set, the Teredo analysis will first check to see if
 	## other protocol analyzers have confirmed that they think they're
 	## parsing the right protocol and only continue with Teredo tunnel
@ -2802,6 +2843,15 @@ export {
 	## :bro:see:`Tunnel::yielding_teredo_decapsulation`.
 	const delay_teredo_confirmation = T &redef;

+	## With this set, the GTP analyzer waits until the most-recent upflow
+	## and downflow packets are a valid GTPv1 encapsulation before
+	## issuing :bro:see:`protocol_confirmation`.  If it's false, the
+	## first occurence of a packet with valid GTPv1 encapsulation causes
+	## confirmation.  Since the same inner connection can be carried
+	## differing outer upflow/downflow connections, setting to false
+	## may work better.
+	const delay_gtp_confirmation = F &redef;
+
 	## How often to cleanup internal state for inactive IP tunnels.
 	const ip_tunnel_timeout = 24hrs &redef;
 } # end export
--- a/scripts/base/misc/find-checksum-offloading.bro
+++ b/scripts/base/misc/find-checksum-offloading.bro
@ -14,7 +14,8 @@ export {
 }

 # Keep track of how many bad checksums have been seen.
-global bad_checksums = 0;
+global bad_ip_checksums  = 0;
+global bad_tcp_checksums = 0;

 # Track to see if this script is done so that messages aren't created multiple times.
 global done = F;
@ -25,10 +26,19 @@ event ChecksumOffloading::check()
 		return;

 	local pkts_recvd = net_stats()$pkts_recvd;
-	if ( (bad_checksums*1.0 / net_stats()$pkts_recvd*1.0) > 0.05 )
+	local bad_ip_checksum_pct = (pkts_recvd != 0) ? (bad_ip_checksums*1.0 / pkts_recvd*1.0) : 0;
+	local bad_tcp_checksum_pct = (pkts_recvd != 0) ? (bad_tcp_checksums*1.0 / pkts_recvd*1.0) : 0;
+	if ( bad_ip_checksum_pct > 0.05 || bad_tcp_checksum_pct > 0.05 )
 		{
 		local packet_src = reading_traces() ? "trace file likely has" : "interface is likely receiving";
-		local message = fmt("Your %s invalid IP checksums, most likely from NIC checksum offloading.", packet_src);
+		local bad_checksum_msg = (bad_ip_checksum_pct > 0.0) ? "IP" : "";
+		if ( bad_tcp_checksum_pct > 0.0 )
+			{
+			if ( |bad_checksum_msg| > 0 )
+				bad_checksum_msg += " and ";
+			bad_checksum_msg += "TCP";
+			}
+		local message = fmt("Your %s invalid %s checksums, most likely from NIC checksum offloading.", packet_src, bad_checksum_msg);
 		Reporter::warning(message);
 		done = T;
 		}
@ -48,7 +58,13 @@ event bro_init()
 event net_weird(name: string)
 	{
 	if ( name == "bad_IP_checksum" )
-		++bad_checksums;
+		++bad_ip_checksums;
+	}
+
+event conn_weird(name: string, c: connection, addl: string)
+	{
+	if ( name == "bad_TCP_checksum" )
+		++bad_tcp_checksums;
 	}

 event bro_done()
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@ -95,6 +95,19 @@ export {
 		"PROXY-CONNECTION",
 	} &redef;

+	## A list of HTTP methods. Other methods will generate a weird. Note
+        ## that the HTTP analyzer will only accept methods consisting solely
+        ## of letters ``[A-Za-z]``.
+	const http_methods: set[string] = {
+		"GET", "POST", "HEAD", "OPTIONS",
+		"PUT", "DELETE", "TRACE", "CONNECT",
+		# HTTP methods for distributed authoring:
+		"PROPFIND", "PROPPATCH", "MKCOL",
+		"COPY", "MOVE", "LOCK", "UNLOCK",
+		"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
+		"SEARCH"
+	} &redef;
+	
 	## Event that can be handled to access the HTTP record as it is sent on 
 	## to the logging framework.
 	global log_http: event(rec: Info);
@ -180,6 +193,9 @@ event http_request(c: connection, method: string, original_URI: string,
 	
 	c$http$method = method;
 	c$http$uri = unescaped_URI;
+
+	if ( method !in http_methods )
+		event conn_weird("unknown_HTTP_method", c, method);
 	}
 	
 event http_reply(c: connection, version: string, code: count, reason: string) &priority=5
--- a/scripts/base/protocols/smtp/entities.bro
+++ b/scripts/base/protocols/smtp/entities.bro
@ -177,6 +177,10 @@ event mime_one_header(c: connection, h: mime_header_rec)
 	if ( h$name == "CONTENT-DISPOSITION" &&
 	     /[fF][iI][lL][eE][nN][aA][mM][eE]/ in h$value )
 		c$smtp$current_entity$filename = extract_filename_from_content_disposition(h$value);
+
+	if ( h$name == "CONTENT-TYPE" && 
+	     /[nN][aA][mM][eE][:blank:]*=/ in h$value )
+		c$smtp$current_entity$filename = extract_filename_from_content_disposition(h$value);
 	}

 event mime_end_entity(c: connection) &priority=-5
--- a/scripts/base/utils/files.bro
+++ b/scripts/base/utils/files.bro
@ -19,7 +19,7 @@ function generate_extraction_filename(prefix: string, c: connection, suffix: str
 ## the filename.
 function extract_filename_from_content_disposition(data: string): string
 	{
-	local filename = sub(data, /^.*[fF][iI][lL][eE][nN][aA][mM][eE][[:blank:]]*=[[:blank:]]*/, "");
+	local filename = sub(data, /^.*[nN][aA][mM][eE][[:blank:]]*=[[:blank:]]*/, "");
 	# Remove quotes around the filename if they are there.
 	if ( /^\"/ in filename )
 		filename =  split_n(filename, /\"/, F, 2)[2];
--- a/src/AYIYA.cc
+++ b/src/AYIYA.cc
@ -20,5 +20,13 @@ void AYIYA_Analyzer::Done()
 void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	try
+		{
 		interp->NewData(orig, data, data + len);
 		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
--- a/src/Analyzer.cc
+++ b/src/Analyzer.cc
@ -41,6 +41,7 @@
 #include "Syslog-binpac.h"
 #include "Teredo.h"
 #include "ConnSizeAnalyzer.h"
+#include "GTPv1.h"

 // Keep same order here as in AnalyzerTag definition!
 const Analyzer::Config Analyzer::analyzer_configs[] = {
@ -143,6 +144,9 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 	{ AnalyzerTag::Teredo, "TEREDO",
 		Teredo_Analyzer::InstantiateAnalyzer,
 		Teredo_Analyzer::Available, 0, false },
+	{ AnalyzerTag::GTPv1, "GTPV1",
+		GTPv1_Analyzer::InstantiateAnalyzer,
+		GTPv1_Analyzer::Available, 0, false },

 	{ AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer,
 		File_Analyzer::Available, 0, false },
--- a/src/AnalyzerTags.h
+++ b/src/AnalyzerTags.h
@ -38,6 +38,7 @@ namespace AnalyzerTag {
 		AYIYA,
 		SOCKS,
 		Teredo,
+		GTPv1,

 		// Other
 		File, Backdoor, InterConn, SteppingStone, TCPStats,
--- a/src/Attr.cc
+++ b/src/Attr.cc
@ -14,8 +14,8 @@ const char* attr_name(attr_tag t)
 		"&rotate_interval", "&rotate_size",
 		"&add_func", "&delete_func", "&expire_func",
 		"&read_expire", "&write_expire", "&create_expire",
-		"&persistent", "&synchronized", "&postprocessor",
-		"&encrypt", "&match",
+		"&persistent", "&synchronized",
+		"&encrypt",
 		"&raw_output", "&mergeable", "&priority",
 		"&group", "&log", "&error_handler", "&type_column",
 		"(&tracked)",
@ -337,11 +337,6 @@ void Attributes::CheckAttr(Attr* a)
 			Error("&rotate_size only applicable to files");
 		break;

-	case ATTR_POSTPROCESSOR:
-		if ( type->Tag() != TYPE_FILE )
-			Error("&postprocessor only applicable to files");
-		break;
-
 	case ATTR_ENCRYPT:
 		if ( type->Tag() != TYPE_FILE )
 			Error("&encrypt only applicable to files");
--- a/src/Attr.h
+++ b/src/Attr.h
@ -25,9 +25,7 @@ typedef enum {
 	ATTR_EXPIRE_CREATE,
 	ATTR_PERSISTENT,
 	ATTR_SYNCHRONIZED,
-	ATTR_POSTPROCESSOR,
 	ATTR_ENCRYPT,
-	ATTR_MATCH,
 	ATTR_RAW_OUTPUT,
 	ATTR_MERGEABLE,
 	ATTR_PRIORITY,
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -203,6 +203,8 @@ binpac_target(dns.pac
    dns-protocol.pac dns-analyzer.pac)
 binpac_target(dns_tcp.pac
    dns.pac)
+binpac_target(gtpv1.pac
+    gtpv1-protocol.pac gtpv1-analyzer.pac)
 binpac_target(http.pac
    http-protocol.pac http-analyzer.pac)
 binpac_target(ncp.pac)
@ -332,6 +334,7 @@ set(bro_SRCS
    Frame.cc
    Func.cc
    Gnutella.cc
+    GTPv1.cc
    HTTP.cc
    HTTP-binpac.cc
    Hash.cc
--- a/src/Expr.cc
+++ b/src/Expr.cc
@ -229,9 +229,10 @@ bool Expr::DoUnserialize(UnserialInfo* info)
 	}


-NameExpr::NameExpr(ID* arg_id) : Expr(EXPR_NAME)
+NameExpr::NameExpr(ID* arg_id, bool const_init) : Expr(EXPR_NAME)
 	{
 	id = arg_id;
+	in_const_init = const_init;
 	SetType(id->Type()->Ref());

 	EventHandler* h = event_registry->Lookup(id->Name());
@ -287,6 +288,9 @@ Expr* NameExpr::MakeLvalue()
 	if ( id->AsType() )
 		ExprError("Type name is not an lvalue");

+	if ( id->IsConst() && ! in_const_init )
+		ExprError("const is not a modifiable lvalue");
+
 	return new RefExpr(this);
 	}

@ -337,9 +341,11 @@ bool NameExpr::DoSerialize(SerialInfo* info) const

 	// Write out just the name of the function if requested.
 	if ( info->globals_as_names && id->IsGlobal() )
-		return SERIALIZE('n') && SERIALIZE(id->Name());
+		return SERIALIZE('n') && SERIALIZE(id->Name()) &&
+		       SERIALIZE(in_const_init);
 	else
-		return SERIALIZE('f') && id->Serialize(info);
+		return SERIALIZE('f') && id->Serialize(info) &&
+		       SERIALIZE(in_const_init);
 	}

 bool NameExpr::DoUnserialize(UnserialInfo* info)
@ -370,6 +376,9 @@ bool NameExpr::DoUnserialize(UnserialInfo* info)
 	if ( ! id )
 		return false;

+	if ( ! UNSERIALIZE(&in_const_init) )
+		return false;
+
 	return true;
 	}

@ -2950,16 +2959,12 @@ Val* IndexExpr::Fold(Val* v1, Val* v2) const
 	if ( IsError() )
 		return 0;

-	if ( v1->Type()->Tag() == TYPE_VECTOR )
-		{
-		Val* v = v1->AsVectorVal()->Lookup(v2);
-		// ### dangerous - this can silently fail larger operations
-		// due to a missing element
-		return v ? v->Ref() : 0;
-		}
+	Val* v = 0;

-	TableVal* v_tbl = v1->AsTableVal();
-	Val* v = v_tbl->Lookup(v2);
+	if ( v1->Type()->Tag() == TYPE_VECTOR )
+		v = v1->AsVectorVal()->Lookup(v2);
+	else
+		v = v1->AsTableVal()->Lookup(v2);

 	if ( v )
 		return v->Ref();
@ -3290,7 +3295,11 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)

 Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 	{
-	RecordVal* rv = Eval(0)->AsRecordVal();
+	Val* v = Eval(0);
+
+	if ( v )
+		{
+		RecordVal* rv = v->AsRecordVal();
 		RecordVal* ar = rv->CoerceTo(t->AsRecordType(), aggr);

 		if ( ar )
@ -3298,13 +3307,11 @@ Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 			Unref(rv);
 			return ar;
 			}
+		}

-	else
-		{
 	Error("bad record initializer");
 	return 0;
 	}
-	}

 Val* RecordConstructorExpr::Fold(Val* v) const
 	{
--- a/src/Expr.h
+++ b/src/Expr.h
@ -198,7 +198,7 @@ protected:

 class NameExpr : public Expr {
 public:
-	NameExpr(ID* id);
+	NameExpr(ID* id, bool const_init = false);
 	~NameExpr();

 	ID* Id() const		{ return id; }
@ -220,6 +220,7 @@ protected:
 	DECLARE_SERIAL(NameExpr);

 	ID* id;
+	bool in_const_init;
 };

 class ConstExpr : public Expr {
--- a/src/File.h
+++ b/src/File.h
@ -56,7 +56,7 @@ public:
 	// Rotates the logfile. Returns rotate_info.
 	RecordVal* Rotate();

-	// Set &rotate_interval, &rotate_size, &postprocessor,
+	// Set &rotate_interval, &rotate_size,
 	// and &raw_output attributes.
 	void SetAttrs(Attributes* attrs);

--- a/src/GTPv1.cc
+++ b/src/GTPv1.cc
@ -0,0 +1,31 @@
+#include "GTPv1.h"
+
+GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn)
+: Analyzer(AnalyzerTag::GTPv1, conn)
+	{
+	interp = new binpac::GTPv1::GTPv1_Conn(this);
+	}
+
+GTPv1_Analyzer::~GTPv1_Analyzer()
+	{
+	delete interp;
+	}
+
+void GTPv1_Analyzer::Done()
+	{
+	Analyzer::Done();
+	Event(udp_session_done);
+	}
+
+void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
--- a/src/GTPv1.h
+++ b/src/GTPv1.h
@ -0,0 +1,29 @@
+#ifndef GTPv1_h
+#define GTPv1_h
+
+#include "gtpv1_pac.h"
+
+class GTPv1_Analyzer : public Analyzer {
+public:
+	GTPv1_Analyzer(Connection* conn);
+	virtual ~GTPv1_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new GTPv1_Analyzer(conn); }
+
+	static bool Available()
+		{ return BifConst::Tunnel::enable_gtpv1 &&
+		         BifConst::Tunnel::max_depth > 0; }
+
+protected:
+	friend class AnalyzerTimer;
+	void ExpireTimer(double t);
+
+	binpac::GTPv1::GTPv1_Conn* interp;
+};
+
+#endif
--- a/src/HTTP.cc
+++ b/src/HTTP.cc
@ -1116,38 +1116,39 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line,
 	return line;
 	}

+static bool is_HTTP_token_char(char c)
+	{
+	return c > 31 && c != 127 &&      // CTL per RFC 2616.
+	        c != ' ' && c != '\t' &&  // Separators.
+		c != '(' && c != ')' && c != '<' && c != '>' && c != '@' &&
+		c != ',' && c != ';' && c != ':' && c != '\\' && c != '"' &&
+		c != '/' && c != '[' && c != ']' && c != '?' && c != '=' &&
+		c != '{' && c != '}';
+	}
+
+static const char* get_HTTP_token(const char* s, const char* e)
+	{
+	while ( s < e && is_HTTP_token_char(*s) )
+		++s;
+
+	return s;
+	}
+
+
 int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 	{
 	const char* rest = 0;
-	static const char* http_methods[] = {
-		"GET", "POST", "HEAD",
+	const char* end_of_method = get_HTTP_token(line, end_of_line);

-		"OPTIONS", "PUT", "DELETE", "TRACE", "CONNECT",
+	if ( end_of_method == line )
+		goto error;

-		// HTTP methods for distributed authoring.
-		"PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT",
-		"COPY", "MOVE", "LOCK", "UNLOCK",
-		"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
+	rest = skip_whitespace(end_of_method, end_of_line);

-		"SEARCH",
+	if ( rest == end_of_method )
+		goto error;

-		0,
-	};
-
-	int i;
-	for ( i = 0; http_methods[i]; ++i )
-		if ( (rest = PrefixWordMatch(line, end_of_line, http_methods[i])) != 0 )
-			break;
-
-	if ( ! http_methods[i] )
-		{
-		// Weird("HTTP_unknown_method");
-		if ( RequestExpected() )
-			HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line));
-		return 0;
-		}
-
-	request_method = new StringVal(http_methods[i]);
+	request_method = new StringVal(end_of_method - line, line);

 	if ( ! ParseRequest(rest, end_of_line) )
 		reporter->InternalError("HTTP ParseRequest failed");
@ -1157,6 +1158,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 			unescaped_URI->AsString()->Len(), true, true, true, true);

 	return 1;
+
+error:
+	reporter->Weird(Conn(), "bad_HTTP_request");
+	return 0;
 	}

 int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line)
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@ -5,6 +5,7 @@
 #include "Var.h"
 #include "NetVar.h"

+RecordType* gtpv1_hdr_type;
 RecordType* conn_id;
 RecordType* endpoint;
 RecordType* endpoint_stats;
@ -308,6 +309,7 @@ void init_net_var()
 #include "input.bif.netvar_init"
 #include "reporter.bif.netvar_init"

+	gtpv1_hdr_type = internal_type("gtpv1_hdr")->AsRecordType();
 	conn_id = internal_type("conn_id")->AsRecordType();
 	endpoint = internal_type("endpoint")->AsRecordType();
 	endpoint_stats = internal_type("endpoint_stats")->AsRecordType();
--- a/src/NetVar.h
+++ b/src/NetVar.h
@ -8,6 +8,7 @@
 #include "EventRegistry.h"
 #include "Stats.h"

+extern RecordType* gtpv1_hdr_type;
 extern RecordType* conn_id;
 extern RecordType* endpoint;
 extern RecordType* endpoint_stats;
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@ -545,8 +545,11 @@ RemoteSerializer::~RemoteSerializer()
 	{
 	if ( child_pid )
 		{
-		kill(child_pid, SIGKILL);
-		waitpid(child_pid, 0, 0);
+		if ( kill(child_pid, SIGKILL) < 0 )
+			reporter->Warning("warning: cannot kill child (pid %d), %s", child_pid, strerror(errno));
+
+		else if ( waitpid(child_pid, 0, 0) < 0 )
+			reporter->Warning("warning: error encountered during waitpid(%d), %s", child_pid, strerror(errno));
 		}

 	delete io;
@ -1032,6 +1035,14 @@ bool RemoteSerializer::SendAllSynchronized(Peer* peer, SerialInfo* info)

 	for ( ; index < sync_ids.length(); ++index )
 		{
+		if ( ! sync_ids[index]->ID_Val() )
+			{
+#ifdef DEBUG
+			DBG_LOG(DBG_COMM, "Skip sync of ID with null value: %s\n",
+			        sync_ids[index]->Name());
+#endif
+			continue;
+			}
 		cont->SaveContext();

 		StateAccess sa(OP_ASSIGN, sync_ids[index],
@ -3153,7 +3164,10 @@ void RemoteSerializer::FatalError(const char* msg)
 	reporter->Error("%s", msg);

 	closed = true;
-	kill(child_pid, SIGQUIT);
+
+	if ( kill(child_pid, SIGQUIT) < 0 )
+		reporter->Warning("warning: cannot kill child pid %d, %s", child_pid, strerror(errno));
+
 	child_pid = 0;
 	using_communication = false;
 	io->Clear();
@ -3963,7 +3977,7 @@ bool SocketComm::Connect(Peer* peer)
 	{
 	int status;
 	addrinfo hints, *res, *res0;
-	bzero(&hints, sizeof(hints));
+        memset(&hints, 0, sizeof(hints));

 	hints.ai_family = PF_UNSPEC;
 	hints.ai_protocol = IPPROTO_TCP;
@ -4095,7 +4109,7 @@ bool SocketComm::Listen()
 	{
 	int status, on = 1;
 	addrinfo hints, *res, *res0;
-	bzero(&hints, sizeof(hints));
+        memset(&hints, 0, sizeof(hints));

 	IPAddr listen_ip(listen_if);

@ -4360,7 +4374,8 @@ void SocketComm::Kill()

 	CloseListenFDs();

-	kill(getpid(), SIGTERM);
+	if ( kill(getpid(), SIGTERM) < 0 )
+		Log(fmt("warning: cannot kill SocketComm pid %d, %s", getpid(), strerror(errno)));

 	while ( 1 )
 		; // loop until killed
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@ -217,8 +217,15 @@ bool Trigger::Eval()
 			Name());

 	Unref(v);
+	v = 0;
 	stmt_flow_type flow;
+
+	try
+		{
 		v = body->Exec(f, flow);
+		}
+	catch ( InterpreterException& e )
+		{ /* Already reported. */ }

 	if ( is_return )
 		{
@ -300,7 +307,14 @@ void Trigger::Timeout()
 		{
 		stmt_flow_type flow;
 		Frame* f = frame->Clone();
-		Val* v = timeout_stmts->Exec(f, flow);
+		Val* v = 0;
+
+		try
+			{
+			v = timeout_stmts->Exec(f, flow);
+			}
+		catch ( InterpreterException& e )
+			{ /* Already reported. */ }

 		if ( is_return )
 			{
@ -382,7 +396,7 @@ void Trigger::Attach(Trigger *trigger)

 void Trigger::Cache(const CallExpr* expr, Val* v)
 	{
-	if ( disabled )
+	if ( disabled || ! v )
 		return;

 	ValCache::iterator i = cache.find(expr);
--- a/src/Var.cc
+++ b/src/Var.cc
@ -210,7 +210,6 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init,
 		// defined.
 		Func* f = new BroFunc(id, 0, 0, 0, 0);
 		id->SetVal(new Val(f));
-		id->SetConst();
 		}
 	}

@ -233,8 +232,9 @@ Stmt* add_local(ID* id, BroType* t, init_class c, Expr* init,

 		Ref(id);

+		Expr* name_expr = new NameExpr(id, dt == VAR_CONST);
 		Stmt* stmt =
-		    new ExprStmt(new AssignExpr(new NameExpr(id), init, 0, 0,
+		    new ExprStmt(new AssignExpr(name_expr, init, 0, 0,
 		        id->Attrs() ? id->Attrs()->Attrs() : 0 ));
 		stmt->SetLocationInfo(init->GetLocationInfo());

--- a/src/const.bif
+++ b/src/const.bif
@ -15,8 +15,10 @@ const Tunnel::max_depth: count;
 const Tunnel::enable_ip: bool;
 const Tunnel::enable_ayiya: bool;
 const Tunnel::enable_teredo: bool;
+const Tunnel::enable_gtpv1: bool;
 const Tunnel::yielding_teredo_decapsulation: bool;
 const Tunnel::delay_teredo_confirmation: bool;
+const Tunnel::delay_gtp_confirmation: bool;
 const Tunnel::ip_tunnel_timeout: interval;

 const Threading::heartbeat_interval: interval;
--- a/src/event.bif
+++ b/src/event.bif
@ -577,6 +577,19 @@ event teredo_origin_indication%(outer: connection, inner: teredo_hdr%);
 ##    it may become particularly expensive for real-time analysis.
 event teredo_bubble%(outer: connection, inner: teredo_hdr%);

+## Generated for GTPv1 G-PDU packets.  That is, packets with a UDP payload
+## that includes a GTP header followed by an IPv4 or IPv6 packet.
+##
+## outer: The GTP outer tunnel connection.
+##
+## inner_gtp: The GTP header.
+##
+## inner_ip: The inner IP and transport layer packet headers.
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%);
+
 ## Generated for every packet that has a non-empty transport-layer payload.
 ## This is a very low-level and expensive event that should be avoided when
 ## at all possible.  It's usually infeasible to handle when processing even
@ -858,7 +871,7 @@ event udp_contents%(u: connection, is_orig: bool, contents: string%);
 ## Generated when a UDP session for a supported protocol has finished. Some of
 ## Bro's application-layer UDP analyzers flag the end of a session by raising
 ## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA,
-## and Teredo support this.
+## Teredo, and GTPv1 support this.
 ##
 ## u: The connection record for the corresponding UDP flow.
 ##
--- a/src/gtpv1-analyzer.pac
+++ b/src/gtpv1-analyzer.pac
@ -0,0 +1,161 @@
+
+connection GTPv1_Conn(bro_analyzer: BroAnalyzer)
+	{
+	upflow = GTPv1_Flow(true);
+	downflow = GTPv1_Flow(false);
+
+	%member{
+		bool valid_orig;
+		bool valid_resp;
+	%}
+
+	%init{
+		valid_orig = valid_resp = false;
+	%}
+
+	function valid(orig: bool): bool
+		%{
+		return orig ? valid_orig : valid_resp;
+		%}
+
+	function set_valid(orig: bool, val: bool): void
+		%{
+		if ( orig )
+			valid_orig = val;
+		else
+			valid_resp = val;
+		%}
+	}
+
+%code{
+inline void violate(const char* r, const BroAnalyzer& a, const bytestring& p)
+	{
+	a->ProtocolViolation(r, (const char*) p.data(), p.length());
+	}
+%}
+
+flow GTPv1_Flow(is_orig: bool)
+	{
+	datagram = GTPv1_Header withcontext(connection, this);
+
+	function process_gtpv1(pdu: GTPv1_Header): bool
+		%{
+		BroAnalyzer a = connection()->bro_analyzer();
+		Connection *c = a->Conn();
+		const EncapsulationStack* e = c->GetEncapsulation();
+
+		connection()->set_valid(is_orig(), false);
+
+		if ( e && e->Depth() >= BifConst::Tunnel::max_depth )
+			{
+			reporter->Weird(c, "tunnel_depth");
+			return false;
+			}
+
+		if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 )
+			{
+			// GTP is never tunneled in GTP so, this must be a regular packet
+			violate("GTP-in-GTP", a, ${pdu.packet});
+			return false;
+			}
+
+		if ( ${pdu.version} != 1 )
+			{
+			// Only know of GTPv1 with Version == 1
+			violate("GTPv1 bad Version", a, ${pdu.packet});
+			return false;
+			}
+
+		if ( ! ${pdu.pt_flag} )
+			{
+			// Not interested in GTP'
+			return false;
+			}
+
+		if ( ${pdu.e_flag} )
+			{
+			// TODO: can't currently parse past extension headers
+			return false;
+			}
+
+		if ( ${pdu.msg_type} != 0xff )
+			{
+			// Only interested in decapsulating user plane data beyond here.
+			return false;
+			}
+
+		if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
+			{
+			violate("Truncated GTPv1", a, ${pdu.packet});
+			return false;
+			}
+
+		const struct ip* ip = (const struct ip*) ${pdu.packet}.data();
+
+		if ( ip->ip_v != 4 && ip->ip_v != 6 )
+			{
+			violate("non-IP packet in GTPv1", a, ${pdu.packet});
+			return false;
+			}
+
+		IP_Hdr* inner = 0;
+		int result = sessions->ParseIPPacket(${pdu.packet}.length(),
+		     ${pdu.packet}.data(), ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4,
+		     inner);
+
+		if ( result == 0 )
+			{
+			connection()->set_valid(is_orig(), true);
+
+			if ( (! BifConst::Tunnel::delay_gtp_confirmation) ||
+			     (connection()->valid(true) && connection()->valid(false)) )
+				a->ProtocolConfirmation();
+			}
+
+		else if ( result < 0 )
+			violate("Truncated GTPv1", a, ${pdu.packet});
+
+		else
+			violate("GTPv1 payload length", a, ${pdu.packet});
+
+		if ( result != 0 )
+			{
+			delete inner;
+			return false;
+			}
+
+		if ( ::gtpv1_g_pdu_packet )
+			{
+			RecordVal* rv = new RecordVal(gtpv1_hdr_type);
+
+			rv->Assign(0, new Val(${pdu.version}, TYPE_COUNT));
+			rv->Assign(1, new Val(${pdu.pt_flag}, TYPE_BOOL));
+			rv->Assign(2, new Val(${pdu.rsv}, TYPE_BOOL));
+			rv->Assign(3, new Val(${pdu.e_flag}, TYPE_BOOL));
+			rv->Assign(4, new Val(${pdu.s_flag}, TYPE_BOOL));
+			rv->Assign(5, new Val(${pdu.pn_flag}, TYPE_BOOL));
+			rv->Assign(6, new Val(${pdu.msg_type}, TYPE_COUNT));
+			rv->Assign(7, new Val(ntohs(${pdu.length}), TYPE_COUNT));
+			rv->Assign(8, new Val(ntohl(${pdu.teid}), TYPE_COUNT));
+
+			if ( ${pdu.has_opt} )
+				{
+				rv->Assign(9, new Val(ntohs(${pdu.opt_hdr.seq}), TYPE_COUNT));
+				rv->Assign(10, new Val(${pdu.opt_hdr.n_pdu}, TYPE_COUNT));
+				rv->Assign(11, new Val(${pdu.opt_hdr.next_type}, TYPE_COUNT));
+				}
+
+			BifEvent::generate_gtpv1_g_pdu_packet(a, c, rv,
+			                                      inner->BuildPktHdrVal());
+			}
+
+		EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1);
+
+		sessions->DoNextInnerPacket(network_time(), 0, inner, e, ec);
+
+		return (result == 0) ? true : false;
+		%}
+
+	};
+
+refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); };
--- a/src/gtpv1-protocol.pac
+++ b/src/gtpv1-protocol.pac
@ -0,0 +1,27 @@
+
+type GTPv1_Header = record {
+	flags:     uint8;
+	msg_type:  uint8;
+	length:    uint16;
+	teid:      uint32;
+	opt:       case has_opt of {
+		true  -> opt_hdr: GTPv1_Opt_Header;
+		false -> no_opt:  empty;
+	} &requires(has_opt);
+	packet:    bytestring &restofdata;
+
+} &let {
+	version:  uint8 = (flags & 0xE0) >> 5;
+	pt_flag:  bool  = flags & 0x10;
+	rsv:      bool  = flags & 0x08;
+	e_flag:   bool  = flags & 0x04;
+	s_flag:   bool  = flags & 0x02;
+	pn_flag:  bool  = flags & 0x01;
+	has_opt:  bool  = flags & 0x07;
+} &byteorder = littleendian;
+
+type GTPv1_Opt_Header = record {
+	seq:       uint16;
+	n_pdu:     uint8;
+	next_type: uint8;
+}
--- a/src/gtpv1.pac
+++ b/src/gtpv1.pac
@ -0,0 +1,10 @@
+%include binpac.pac
+%include bro.pac
+
+analyzer GTPv1 withcontext {
+	connection:	GTPv1_Conn;
+	flow:		GTPv1_Flow;
+};
+
+%include gtpv1-protocol.pac
+%include gtpv1-analyzer.pac
--- a/src/input/readers/Ascii.cc
+++ b/src/input/readers/Ascii.cc
@ -273,14 +273,14 @@ Value* Ascii::EntryToVal(string s, FieldMapping field)
 			{
 			Error(Fmt("Field: %s Invalid value for boolean: %s",
 				  field.name.c_str(), s.c_str()));
-			return 0;
+			goto parse_error;
 			}
 		break;

 	case TYPE_INT:
 		val->val.int_val = strtoll(s.c_str(), &end, 10);
 		if ( CheckNumberError(s, end) )
-			return 0;
+			goto parse_error;
 		break;

 	case TYPE_DOUBLE:
@ -288,20 +288,20 @@ Value* Ascii::EntryToVal(string s, FieldMapping field)
 	case TYPE_INTERVAL:
 		val->val.double_val = strtod(s.c_str(), &end);
 		if ( CheckNumberError(s, end) )
-			return 0;
+			goto parse_error;
 		break;

 	case TYPE_COUNT:
 	case TYPE_COUNTER:
 		val->val.uint_val = strtoull(s.c_str(), &end, 10);
 		if ( CheckNumberError(s, end) )
-			return 0;
+			goto parse_error;
 		break;

 	case TYPE_PORT:
 		val->val.port_val.port = strtoull(s.c_str(), &end, 10);
 		if ( CheckNumberError(s, end) )
-			return 0;
+			goto parse_error;

 		val->val.port_val.proto = TRANSPORT_UNKNOWN;
 		break;
@ -313,13 +313,13 @@ Value* Ascii::EntryToVal(string s, FieldMapping field)
 		if ( pos == s.npos )
 			{
 			Error(Fmt("Invalid value for subnet: %s", s.c_str()));
-			return 0;
+			goto parse_error;
 			}

 		uint8_t width = (uint8_t) strtol(s.substr(pos+1).c_str(), &end, 10);

 		if ( CheckNumberError(s, end) )
-			return 0;
+			goto parse_error;

 		string addr = s.substr(0, pos);

@ -349,6 +349,7 @@ Value* Ascii::EntryToVal(string s, FieldMapping field)
 			}

 		unsigned int pos = 0;
+		bool error = false;

 		if ( s.compare(empty_field) == 0 )
 			length = 0;
@ -385,14 +386,16 @@ Value* Ascii::EntryToVal(string s, FieldMapping field)
 				{
 				Error(Fmt("Internal error while parsing set. pos %d >= length %d."
 				          " Element: %s", pos, length, element.c_str()));
+				error = true;
 				break;
 				}

 			Value* newval = EntryToVal(element, field.subType());
 			if ( newval == 0 )
 				{
-				Error("Error while reading set");
-				return 0;
+				Error("Error while reading set or vector");
+				error = true;
+				break;
 				}

 			lvals[pos] = newval;
@ -403,22 +406,32 @@ Value* Ascii::EntryToVal(string s, FieldMapping field)
 		// Test if the string ends with a set_separator... or if the
 		// complete string is empty. In either of these cases we have
 		// to push an empty val on top of it.
-		if ( s.empty() || *s.rbegin() == set_separator[0] )
+		if ( ! error && (s.empty() || *s.rbegin() == set_separator[0]) )
 			{
 			lvals[pos] = EntryToVal("", field.subType());
 			if ( lvals[pos] == 0 )
 				{
 				Error("Error while trying to add empty set element");
-				return 0;
+				goto parse_error;
 				}

 			pos++;
 			}

+		if ( error ) {
+			// We had an error while reading a set or a vector.
+			// Hence we have to clean up the values that have
+			// been read so far
+			for ( unsigned int i = 0; i < pos; i++ )
+				delete lvals[i];
+
+			goto parse_error;
+		}
+
 		if ( pos != length )
 			{
 			Error(Fmt("Internal error while parsing set: did not find all elements: %s", s.c_str()));
-			return 0;
+			goto parse_error;
 			}

 		break;
@ -427,10 +440,14 @@ Value* Ascii::EntryToVal(string s, FieldMapping field)
 	default:
 		Error(Fmt("unsupported field format %d for %s", field.type,
 		field.name.c_str()));
-		return 0;
+		goto parse_error;
 	}

 	return val;
+
+parse_error:
+	delete val;
+	return 0;
 	}

 // read the entire file and send appropriate thingies back to InputMgr
@ -572,7 +589,7 @@ bool Ascii::DoUpdate()
 			// array structure.

 			for ( int i = 0; i < fpos; i++ )
-				delete fields[fpos];
+				delete fields[i];

 			delete [] fields;
 			continue;
--- a/src/parse.y
+++ b/src/parse.y
@ -17,7 +17,7 @@
 %token TOK_STRING TOK_SUBNET TOK_SWITCH TOK_TABLE
 %token TOK_TIME TOK_TIMEOUT TOK_TIMER TOK_TYPE TOK_UNION TOK_VECTOR TOK_WHEN

-%token TOK_ATTR_ADD_FUNC TOK_ATTR_ATTR TOK_ATTR_ENCRYPT TOK_ATTR_DEFAULT
+%token TOK_ATTR_ADD_FUNC TOK_ATTR_ENCRYPT TOK_ATTR_DEFAULT
 %token TOK_ATTR_OPTIONAL TOK_ATTR_REDEF TOK_ATTR_ROTATE_INTERVAL
 %token TOK_ATTR_ROTATE_SIZE TOK_ATTR_DEL_FUNC TOK_ATTR_EXPIRE_FUNC
 %token TOK_ATTR_EXPIRE_CREATE TOK_ATTR_EXPIRE_READ TOK_ATTR_EXPIRE_WRITE
--- a/src/scan.l
+++ b/src/scan.l
@ -319,7 +319,6 @@ vector	return TOK_VECTOR;
 when	return TOK_WHEN;

 &add_func	return TOK_ATTR_ADD_FUNC;
-&attr		return TOK_ATTR_ATTR;
 &create_expire	return TOK_ATTR_EXPIRE_CREATE;
 &default	return TOK_ATTR_DEFAULT;
 &delete_func	return TOK_ATTR_DEL_FUNC;
--- a/src/types.bif
+++ b/src/types.bif
@ -184,6 +184,7 @@ enum Type %{
 	AYIYA,
 	TEREDO,
 	SOCKS,
+	GTPv1,
 %}

 type EncapsulatingConn: record;
--- a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-17-03-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458850.321642	arKYeMETxOg	10.131.17.170	51803	173.199.115.168	80	tcp	http	0.257902	1138	63424	S3	-	0	ShADadf	29	2310	49	65396	UWkUyAuUGXf,k6kgXLOoSKl
+1333458850.325787	k6kgXLOoSKl	207.233.125.40	2152	167.55.105.244	2152	udp	gtpv1	0.251127	65788	0	S0	-	0	D	49	67160	0	0	(empty)
+1333458850.321642	UWkUyAuUGXf	167.55.105.244	5906	207.233.125.40	2152	udp	gtpv1	0.257902	2542	0	S0	-	0	D	29	3354	0	0	(empty)
+#close	2012-10-19-17-03-55
--- a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log
@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2012-10-19-17-03-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1333458850.340368	arKYeMETxOg	10.131.17.170	51803	173.199.115.168	80	1	GET	cdn.epicgameads.com	/ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879	http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)	0	31461	200	OK	-	-	-	(empty)	-	-	-	application/x-shockwave-flash	-	-
+1333458850.399501	arKYeMETxOg	10.131.17.170	51803	173.199.115.168	80	2	GET	cdn.epicgameads.com	/ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881	http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)	0	31461	200	OK	-	-	-	(empty)	-	-	-	application/x-shockwave-flash	-	-
+#close	2012-10-19-17-03-55
--- a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log
@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2012-10-19-17-03-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1333458850.321642	UWkUyAuUGXf	167.55.105.244	5906	207.233.125.40	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.325787	k6kgXLOoSKl	207.233.125.40	2152	167.55.105.244	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.579544	k6kgXLOoSKl	207.233.125.40	2152	167.55.105.244	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.579544	UWkUyAuUGXf	167.55.105.244	5906	207.233.125.40	2152	Tunnel::GTPv1	Tunnel::CLOSE
+#close	2012-10-19-17-03-55
--- a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-17-07-44
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458871.219794	UWkUyAuUGXf	10.131.24.6	2152	195.178.38.3	53	udp	dns	-	-	-	S0	-	0	D	1	64	0	0	(empty)
+#close	2012-10-19-17-07-44
--- a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2012-10-19-17-07-44
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1333458871.219794	UWkUyAuUGXf	10.131.24.6	2152	195.178.38.3	53	udp	27595	abcd.efg.hijklm.nm	1	C_INTERNET	1	A	-	-	F	F	T	F	0	-	-	F
+#close	2012-10-19-17-07-44
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-17-21-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458851.770000	arKYeMETxOg	fe80::224c:4fff:fe43:414c	1234	ff02::1:3	5355	udp	dns	-	-	-	S0	-	0	D	1	80	0	0	UWkUyAuUGXf
+1333458851.770000	UWkUyAuUGXf	118.92.124.41	2152	118.92.124.72	2152	udp	gtpv1	0.199236	152	0	S0	-	0	D	2	208	0	0	(empty)
+1333458851.969236	k6kgXLOoSKl	fe80::224c:4fff:fe43:414c	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	56	0	0	UWkUyAuUGXf
+#close	2012-10-19-17-21-27
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log
@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2012-10-19-17-21-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1333458851.770000	UWkUyAuUGXf	118.92.124.41	2152	118.92.124.72	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458851.969236	UWkUyAuUGXf	118.92.124.41	2152	118.92.124.72	2152	Tunnel::GTPv1	Tunnel::CLOSE
+#close	2012-10-19-17-21-27
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
@ -0,0 +1,26 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-17-34-25
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458850.037956	qCaWGmzFtM5	10.131.112.102	51403	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	0	d	0	0	1	84	GSxOnSLghOa
+1333458850.040098	70MGiRM1Qf4	174.94.190.229	2152	190.104.181.57	2152	udp	gtpv1	0.003698	192	0	S0	-	0	D	2	248	0	0	(empty)
+1333458850.016620	nQcgTWjvg4c	172.24.16.121	61901	94.245.121.251	3544	udp	teredo	-	-	-	S0	-	0	D	1	80	0	0	k6kgXLOoSKl
+1333458850.029781	FrJExwHcSal	172.24.16.67	52298	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	0	D	1	88	0	0	TEfuqmmG4bh
+1333458850.035456	VW0XPVINV8a	190.104.181.210	2152	190.104.181.125	2152	udp	gtpv1	0.000004	194	0	S0	-	0	D	2	250	0	0	(empty)
+1333458850.016620	k6kgXLOoSKl	174.94.190.229	2152	190.104.181.62	2152	udp	gtpv1	0.016267	88	92	SF	-	0	Dd	1	116	1	120	(empty)
+1333458850.029781	TEfuqmmG4bh	190.104.181.254	2152	190.104.181.62	2152	udp	gtpv1	0.000002	192	0	S0	-	0	D	2	248	0	0	(empty)
+1333458850.035460	iE6yhOq3SF	172.27.159.9	63912	94.245.121.254	3544	udp	teredo	-	-	-	S0	-	0	D	1	89	0	0	VW0XPVINV8a
+1333458850.037956	GSxOnSLghOa	190.104.181.57	2152	190.104.181.222	2152	udp	gtpv1	-	-	-	S0	-	0	D	1	120	0	0	(empty)
+1333458850.014199	UWkUyAuUGXf	174.94.190.213	2152	190.104.181.57	2152	udp	gtpv1	-	-	-	S0	-	0	D	1	124	0	0	(empty)
+1333458850.040098	h5DsfNtYzi1	172.24.203.81	54447	65.55.158.118	3544	udp	teredo	0.003698	120	0	S0	-	0	D	2	176	0	0	70MGiRM1Qf4
+1333458850.029783	5OKnoww6xl4	172.24.16.67	52298	65.55.158.118	3544	udp	teredo	-	-	-	S0	-	0	D	1	88	0	0	TEfuqmmG4bh
+1333458850.032887	3PKsZ2Uye21	10.131.42.160	62069	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	0	d	0	0	1	84	k6kgXLOoSKl
+1333458850.014199	arKYeMETxOg	172.24.204.200	56528	65.55.158.118	3544	udp	teredo	-	-	-	S0	-	0	D	1	88	0	0	UWkUyAuUGXf
+1333458850.035456	fRFu0wcOle6	172.27.159.9	63912	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	0	D	1	89	0	0	VW0XPVINV8a
+1333458850.016620	j4u32Pc5bif	2001:0:5ef5:79fb:38b8:1695:2b37:be8e	128	2002:2571:c817::2571:c817	129	icmp	-	-	-	-	OTH	-	0	-	1	52	0	0	nQcgTWjvg4c
+1333458850.035456	qSsw6ESzHV4	fe80::ffff:ffff:fffe	133	ff02::2	134	icmp	-	0.000004	0	0	OTH	-	0	-	2	96	0	0	fRFu0wcOle6,iE6yhOq3SF
+#close	2012-10-19-17-34-25
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log
@ -0,0 +1,27 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2012-10-19-17-34-25
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1333458850.014199	UWkUyAuUGXf	174.94.190.213	2152	190.104.181.57	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.016620	k6kgXLOoSKl	174.94.190.229	2152	190.104.181.62	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.016620	nQcgTWjvg4c	172.24.16.121	61901	94.245.121.251	3544	Tunnel::TEREDO	Tunnel::DISCOVER
+1333458850.029781	TEfuqmmG4bh	190.104.181.254	2152	190.104.181.62	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.035456	VW0XPVINV8a	190.104.181.210	2152	190.104.181.125	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.035456	fRFu0wcOle6	172.27.159.9	63912	94.245.121.253	3544	Tunnel::TEREDO	Tunnel::DISCOVER
+1333458850.035460	iE6yhOq3SF	172.27.159.9	63912	94.245.121.254	3544	Tunnel::TEREDO	Tunnel::DISCOVER
+1333458850.037956	GSxOnSLghOa	190.104.181.57	2152	190.104.181.222	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.040098	70MGiRM1Qf4	174.94.190.229	2152	190.104.181.57	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.043796	70MGiRM1Qf4	174.94.190.229	2152	190.104.181.57	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.043796	nQcgTWjvg4c	172.24.16.121	61901	94.245.121.251	3544	Tunnel::TEREDO	Tunnel::CLOSE
+1333458850.043796	VW0XPVINV8a	190.104.181.210	2152	190.104.181.125	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.043796	k6kgXLOoSKl	174.94.190.229	2152	190.104.181.62	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.043796	TEfuqmmG4bh	190.104.181.254	2152	190.104.181.62	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.043796	iE6yhOq3SF	172.27.159.9	63912	94.245.121.254	3544	Tunnel::TEREDO	Tunnel::CLOSE
+1333458850.043796	GSxOnSLghOa	190.104.181.57	2152	190.104.181.222	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.043796	UWkUyAuUGXf	174.94.190.213	2152	190.104.181.57	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.043796	fRFu0wcOle6	172.27.159.9	63912	94.245.121.253	3544	Tunnel::TEREDO	Tunnel::CLOSE
+#close	2012-10-19-17-34-25
--- a/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out
+++ b/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out
@ -0,0 +1 @@
+protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [n\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80(]\xcew\x84\xae}\xd2...]
--- a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-17-46-48
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458850.532814	UWkUyAuUGXf	247.56.43.90	2152	247.56.43.248	2152	udp	-	-	-	-	S0	-	0	D	1	52	0	0	(empty)
+1333458850.867091	arKYeMETxOg	247.56.43.214	2152	237.56.101.238	2152	udp	-	0.028676	12	14	SF	-	0	Dd	1	40	1	42	(empty)
+#close	2012-10-19-17-46-48
--- a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-17-19-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458852.011535	arKYeMETxOg	10.222.10.10	44960	173.194.69.188	5228	tcp	ssl	0.573499	704	1026	S1	-	0	ShADad	17	1604	14	1762	UWkUyAuUGXf
+1333458852.011535	UWkUyAuUGXf	79.188.154.91	2152	243.149.173.198	2152	udp	gtpv1	0.573499	1740	1930	SF	-	0	Dd	17	2216	14	2322	(empty)
+#close	2012-10-19-17-19-16
--- a/testing/btest/Baseline/core.tunnels.gtp.opt_header/out
+++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/out
@ -0,0 +1,31 @@
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=60, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=60, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=64, teid=159098, seq=0, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=170, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=1, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=194, teid=159098, seq=2, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=111, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=3, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=89, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=4, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=93, teid=159098, seq=5, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=457, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=157, teid=159098, seq=6, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=173, teid=159098, seq=7, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=137, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=8, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=157, teid=159098, seq=9, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=189, teid=159098, seq=10, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=173, teid=159098, seq=11, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=205, teid=159098, seq=12, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=189, teid=159098, seq=13, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
--- a/testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log
@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2012-10-19-17-19-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1333458852.011535	UWkUyAuUGXf	79.188.154.91	2152	243.149.173.198	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458852.585034	UWkUyAuUGXf	79.188.154.91	2152	243.149.173.198	2152	Tunnel::GTPv1	Tunnel::CLOSE
+#close	2012-10-19-17-19-16
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-16-44-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458850.364667	arKYeMETxOg	10.131.47.185	1923	79.101.110.141	80	tcp	http	0.069783	2100	56702	SF	-	0	ShADadfF	27	3204	41	52594	UWkUyAuUGXf
+1333458850.364667	UWkUyAuUGXf	239.114.155.111	2152	63.94.149.181	2152	udp	gtpv1	0.069813	3420	52922	SF	-	0	Dd	27	4176	41	54070	(empty)
+#close	2012-10-19-16-44-02
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2012-10-19-16-44-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1333458850.375568	arKYeMETxOg	10.131.47.185	1923	79.101.110.141	80	1	GET	o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com	/videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1	http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf	Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11	0	56320	206	Partial Content	-	-	-	(empty)	-	-	-	application/octet-stream	-	-
+#close	2012-10-19-16-44-02
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log
@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2012-10-19-16-44-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1333458850.364667	UWkUyAuUGXf	239.114.155.111	2152	63.94.149.181	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.434480	UWkUyAuUGXf	239.114.155.111	2152	63.94.149.181	2152	Tunnel::GTPv1	Tunnel::CLOSE
+#close	2012-10-19-16-44-02
--- a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open	2012-10-19-17-38-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+1333458853.075889	UWkUyAuUGXf	173.86.159.28	2152	213.72.147.186	2152	udp	GTPV1	Truncated GTPv1 [E\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eVP\x10\x10\xe0u\xcf\x00\x00...]
+#close	2012-10-19-17-38-54
--- a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log
@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2012-10-19-17-38-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1333458853.034734	UWkUyAuUGXf	173.86.159.28	2152	213.72.147.186	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458853.108391	UWkUyAuUGXf	173.86.159.28	2152	213.72.147.186	2152	Tunnel::GTPv1	Tunnel::CLOSE
+#close	2012-10-19-17-38-54
--- a/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stderr
+++ b/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stderr
@ -0,0 +1,5 @@
+1355264617.053514 expression error in /home/jsiwek/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 32: field value missing [p$ip]
+1355264617.053514 expression error in /home/jsiwek/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 53: field value missing [p$ip]
+1355264617.053514 expression error in /home/jsiwek/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 43: field value missing [p$ip]
+1355264617.053514 expression error in /home/jsiwek/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 16: field value missing [p$ip]
+1355264617.053514 received termination signal
--- a/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout
+++ b/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout
@ -0,0 +1,8 @@
+timeout g(), F
+timeout g(), T
+timeout
+g() done, no exception, T
+localhost resolved
+localhost resolved from f(), T
+localhost resolved from f(), F
+f() done, no exception, T
--- a/testing/btest/Baseline/istate.sync/receiver.vars.log
+++ b/testing/btest/Baseline/istate.sync/receiver.vars.log
@ -31,3 +31,4 @@ file "test2" of string
 6667/tcp
 [2, 20, 3, 4]
 [a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
+122112
--- a/testing/btest/Baseline/istate.sync/sender.vars.log
+++ b/testing/btest/Baseline/istate.sync/sender.vars.log
@ -31,3 +31,4 @@ file "test2" of string
 6667/tcp
 [2, 20, 3, 4]
 [a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
+122112
--- a/testing/btest/Baseline/language.const/invalid.stderr
+++ b/testing/btest/Baseline/language.const/invalid.stderr
@ -0,0 +1,13 @@
+error in ./invalid.bro, line 15: const is not a modifiable lvalue (foo)
+error in ./invalid.bro, line 16: const is not a modifiable lvalue (foo)
+error in ./invalid.bro, line 17: const is not a modifiable lvalue (bar)
+error in ./invalid.bro, line 17: const is not a modifiable lvalue (foo)
+error in ./invalid.bro, line 18: const is not a modifiable lvalue (foo)
+error in ./invalid.bro, line 19: const is not a modifiable lvalue (foo)
+error in ./invalid.bro, line 20: const is not a modifiable lvalue (foo)
+error in ./invalid.bro, line 22: const is not a modifiable lvalue (foo)
+error in ./invalid.bro, line 25: const is not a modifiable lvalue (bar)
+error in ./invalid.bro, line 26: const is not a modifiable lvalue (baz)
+error in ./invalid.bro, line 27: const is not a modifiable lvalue (bar)
+error in ./invalid.bro, line 28: const is not a modifiable lvalue (baz)
+error in ./invalid.bro, line 33: const is not a modifiable lvalue (foo)
--- a/testing/btest/Baseline/language.const/invalid.stdout
+++ b/testing/btest/Baseline/language.const/invalid.stdout
--- a/testing/btest/Baseline/language.const/valid.stderr
+++ b/testing/btest/Baseline/language.const/valid.stderr
--- a/testing/btest/Baseline/language.const/valid.stdout
+++ b/testing/btest/Baseline/language.const/valid.stdout
@ -0,0 +1,10 @@
+40
+enter f, 10
+exit f, 110
+enter f, 9
+exit f, 109
+enter f, 7
+exit f, 107
+foo, 10
+bar, 9
+baz, 7
--- a/testing/btest/Baseline/language.invalid_index/out
+++ b/testing/btest/Baseline/language.invalid_index/out
@ -0,0 +1,7 @@
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 8: no such index (foo[1])
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 9: no such index (foo[2])
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 12: no such index (foo2[1])
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 13: no such index (foo2[2])
+foo[0], 42
+foo2[0], 13
+done
--- a/testing/btest/Baseline/language.record-bad-ctor/out
+++ b/testing/btest/Baseline/language.record-bad-ctor/out
@ -0,0 +1,3 @@
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 6: no type given (asdfasdf)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: uninitialized list value ($ports=asdfasdf)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: bad record initializer ([$ports=asdfasdf])
--- a/testing/btest/Baseline/scripts.base.frameworks.input.invalidnumbers/.stderrwithoutfirstline
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidnumbers/.stderrwithoutfirstline
@ -1,8 +1,8 @@
-error: ../input.log/Input::READER_ASCII: Number '12129223372036854775800' out of supported range.
-error: ../input.log/Input::READER_ASCII: Could not convert line '12129223372036854775800	121218446744073709551612' to Val. Ignoring line.
-warning: ../input.log/Input::READER_ASCII: Number '9223372036854775801TEXTHERE' contained non-numeric trailing characters. Ignored trailing characters 'TEXTHERE'
-warning: ../input.log/Input::READER_ASCII: Number '1Justtext' contained non-numeric trailing characters. Ignored trailing characters 'Justtext'
-error: ../input.log/Input::READER_ASCII: String 'Justtext' contained no parseable number
-error: ../input.log/Input::READER_ASCII: Could not convert line 'Justtext	1' to Val. Ignoring line.
-received termination signal
+1355266097.683599 error: ../input.log/Input::READER_ASCII: Number '12129223372036854775800' out of supported range.
+1355266097.683599 error: ../input.log/Input::READER_ASCII: Could not convert line '12129223372036854775800	121218446744073709551612' to Val. Ignoring line.
+1355266097.683599 warning: ../input.log/Input::READER_ASCII: Number '9223372036854775801TEXTHERE' contained non-numeric trailing characters. Ignored trailing characters 'TEXTHERE'
+1355266097.683599 warning: ../input.log/Input::READER_ASCII: Number '1Justtext' contained non-numeric trailing characters. Ignored trailing characters 'Justtext'
+1355266097.683599 error: ../input.log/Input::READER_ASCII: String 'Justtext' contained no parseable number
+1355266097.683599 error: ../input.log/Input::READER_ASCII: Could not convert line 'Justtext	1' to Val. Ignoring line.
+1355266097.683599 received termination signal
 >>>
--- a/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/.stderrwithoutfirstline
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/.stderrwithoutfirstline
@ -0,0 +1,4 @@
+1355265853.593476 error: ../input.log/Input::READER_ASCII: String 'l' contained no parseable number
+1355265853.593476 error: ../input.log/Input::READER_ASCII: Could not convert line '	l' to Val. Ignoring line.
+1355265853.593476 received termination signal
+>>>
--- a/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/out
@ -0,0 +1,3 @@
+{
+[] = [c=5]
+}
--- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr
@ -1,5 +1,5 @@
-error: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat
-error: does-not-exist.dat/Input::READER_ASCII: Init failed
-warning: Stream input is already queued for removal. Ignoring remove.
-error: does-not-exist.dat/Input::READER_ASCII: terminating thread
-received termination signal
+1355265996.626106 error: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat
+1355265996.626106 error: does-not-exist.dat/Input::READER_ASCII: Init failed
+1355265996.626106 warning: Stream input is already queued for removal. Ignoring remove.
+1355265996.626106 error: does-not-exist.dat/Input::READER_ASCII: terminating thread
+1355265996.626106 received termination signal
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt
@ -56,20 +56,20 @@ ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes
 1300475167096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 73 0 0 
 1300475167097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp  0 0 0 S0 F 0 D 1 199 0 0 
 1300475167099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp  0 0 0 S0 F 0 D 1 179 0 0 
-1300475168853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 435 0 89 SHR F 0 Cd 0 0 1 117 
-1300475168854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 420 0 99 SHR F 0 Cd 0 0 1 127 
-1300475168854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 391 0 183 SHR F 0 Cd 0 0 1 211 
-1300475168857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 317 0 89 SHR F 0 Cd 0 0 1 117 
-1300475168858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 343 0 99 SHR F 0 Cd 0 0 1 127 
-1300475168858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 375 0 183 SHR F 0 Cd 0 0 1 211 
-1300475168891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 339 0 89 SHR F 0 Cd 0 0 1 117 
-1300475168892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 334 0 99 SHR F 0 Cd 0 0 1 127 
-1300475168892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 420 0 183 SHR F 0 Cd 0 0 1 211 
-1300475168893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 384 0 89 SHR F 0 Cd 0 0 1 117 
-1300475168894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 316 0 99 SHR F 0 Cd 0 0 1 127 
-1300475168894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 422 0 183 SHR F 0 Cd 0 0 1 211 
-1300475168901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 402 0 131 SHR F 0 Cd 0 0 1 159 
-1300475168902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 374 0 198 SHR F 0 Cd 0 0 1 226 
+1300475168853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 435 38 89 SF F 0 Dd 1 66 1 117 
+1300475168854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 420 52 99 SF F 0 Dd 1 80 1 127 
+1300475168854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 391 38 183 SF F 0 Dd 1 66 1 211 
+1300475168857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 317 38 89 SF F 0 Dd 1 66 1 117 
+1300475168858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 343 52 99 SF F 0 Dd 1 80 1 127 
+1300475168858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 375 38 183 SF F 0 Dd 1 66 1 211 
+1300475168891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 339 38 89 SF F 0 Dd 1 66 1 117 
+1300475168892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 334 52 99 SF F 0 Dd 1 80 1 127 
+1300475168892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 420 38 183 SF F 0 Dd 1 66 1 211 
+1300475168893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 384 38 89 SF F 0 Dd 1 66 1 117 
+1300475168894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 316 52 99 SF F 0 Dd 1 80 1 127 
+1300475168894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 422 38 183 SF F 0 Dd 1 66 1 211 
+1300475168901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 402 36 131 SF F 0 Dd 1 64 1 159 
+1300475168902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 374 36 198 SF F 0 Dd 1 64 1 226 
 1300475169899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 85 0 0 
 1300475170862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2613016 350 0 S0 F 0 D 7 546 0 0 
 1300475171675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 100096 66 0 S0 F 0 D 2 162 0 0 
@ -77,13 +77,13 @@ ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes
 1300475173116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 99801 66 0 S0 F 0 D 2 162 0 0 
 1300475173117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 99848 66 0 S0 F 0 D 2 122 0 0 
 1300475173153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns 0 0 0 S0 F 0 D 1 78 0 0 
-1300475168859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp  215893 1130 734 S1 F 1130 ShACad 4 216 4 950 
-1300475168652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp  61328 0 350 OTH F 0 CdA 1 52 1 402 
-1300475168895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp  227283 1178 734 S1 F 1178 ShACad 4 216 4 950 
-1300475168902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp  120040 534 412 S1 F 534 ShACad 3 164 3 576 
-1300475168892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp  229603 1148 734 S1 F 1148 ShACad 4 216 4 950 
-1300475168855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp  218501 1171 733 S1 F 1171 ShACad 4 216 4 949 
-1300475168892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp  220960 1137 733 S1 F 1137 ShACad 4 216 4 949 
+1300475168859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp http 215893 1130 734 S1 F 0 ShADad 6 1450 4 950 
+1300475168652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp  61328 463 350 OTH F 0 DdA 2 567 1 402 
+1300475168895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp http 227283 1178 734 S1 F 0 ShADad 6 1498 4 950 
+1300475168902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp http 120040 534 412 S1 F 0 ShADad 4 750 3 576 
+1300475168892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp http 229603 1148 734 S1 F 0 ShADad 6 1468 4 950 
+1300475168855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp http 218501 1171 733 S1 F 0 ShADad 6 1491 4 949 
+1300475168892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp http 220960 1137 733 S1 F 0 ShADad 6 1457 4 949 
 1300475169780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp  0 0 0 OTH F 0 h 0 0 1 48 
-1300475168724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp  119904 525 232 S1 F 525 ShACad 3 164 3 396 
-1300475168855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp  219720 1125 734 S1 F 1125 ShACad 4 216 4 950 
+1300475168724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp http 119904 525 232 S1 F 0 ShADad 4 741 3 396 
+1300475168855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp http 219720 1125 734 S1 F 0 ShADad 6 1445 4 950 
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt
@ -56,20 +56,20 @@ ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes
 1300475167.096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 73 0 0 
 1300475167.097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp  0.000000 0 0 S0 F 0 D 1 199 0 0 
 1300475167.099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp  0.000000 0 0 S0 F 0 D 1 179 0 0 
-1300475168.853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 0 89 SHR F 0 Cd 0 0 1 117 
-1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 0 99 SHR F 0 Cd 0 0 1 127 
-1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 0 183 SHR F 0 Cd 0 0 1 211 
-1300475168.857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 0 89 SHR F 0 Cd 0 0 1 117 
-1300475168.858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 0 99 SHR F 0 Cd 0 0 1 127 
-1300475168.858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 0 183 SHR F 0 Cd 0 0 1 211 
-1300475168.891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 0 89 SHR F 0 Cd 0 0 1 117 
-1300475168.892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 0 99 SHR F 0 Cd 0 0 1 127 
-1300475168.892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 0 183 SHR F 0 Cd 0 0 1 211 
-1300475168.893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 0 89 SHR F 0 Cd 0 0 1 117 
-1300475168.894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 0 99 SHR F 0 Cd 0 0 1 127 
-1300475168.894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 0 183 SHR F 0 Cd 0 0 1 211 
-1300475168.901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 0 131 SHR F 0 Cd 0 0 1 159 
-1300475168.902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 0 198 SHR F 0 Cd 0 0 1 226 
+1300475168.853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF F 0 Dd 1 66 1 117 
+1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF F 0 Dd 1 80 1 127 
+1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF F 0 Dd 1 66 1 211 
+1300475168.857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF F 0 Dd 1 66 1 117 
+1300475168.858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF F 0 Dd 1 80 1 127 
+1300475168.858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF F 0 Dd 1 66 1 211 
+1300475168.891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF F 0 Dd 1 66 1 117 
+1300475168.892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF F 0 Dd 1 80 1 127 
+1300475168.892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF F 0 Dd 1 66 1 211 
+1300475168.893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF F 0 Dd 1 66 1 117 
+1300475168.894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF F 0 Dd 1 80 1 127 
+1300475168.894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF F 0 Dd 1 66 1 211 
+1300475168.901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF F 0 Dd 1 64 1 159 
+1300475168.902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF F 0 Dd 1 64 1 226 
 1300475169.899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 85 0 0 
 1300475170.862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 F 0 D 7 546 0 0 
 1300475171.675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 F 0 D 2 162 0 0 
@ -77,13 +77,13 @@ ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes
 1300475173.116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 F 0 D 2 162 0 0 
 1300475173.117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 F 0 D 2 122 0 0 
 1300475173.153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns 0.000000 0 0 S0 F 0 D 1 78 0 0 
-1300475168.859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp  0.215893 1130 734 S1 F 1130 ShACad 4 216 4 950 
-1300475168.652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp  0.061329 0 350 OTH F 0 CdA 1 52 1 402 
-1300475168.895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp  0.227284 1178 734 S1 F 1178 ShACad 4 216 4 950 
-1300475168.902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp  0.120041 534 412 S1 F 534 ShACad 3 164 3 576 
-1300475168.892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp  0.229603 1148 734 S1 F 1148 ShACad 4 216 4 950 
-1300475168.855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp  0.218501 1171 733 S1 F 1171 ShACad 4 216 4 949 
-1300475168.892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp  0.220961 1137 733 S1 F 1137 ShACad 4 216 4 949 
+1300475168.859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 F 0 ShADad 6 1450 4 950 
+1300475168.652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp  0.061329 463 350 OTH F 0 DdA 2 567 1 402 
+1300475168.895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 F 0 ShADad 6 1498 4 950 
+1300475168.902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp http 0.120041 534 412 S1 F 0 ShADad 4 750 3 576 
+1300475168.892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 F 0 ShADad 6 1468 4 950 
+1300475168.855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp http 0.218501 1171 733 S1 F 0 ShADad 6 1491 4 949 
+1300475168.892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp http 0.220961 1137 733 S1 F 0 ShADad 6 1457 4 949 
 1300475169.780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp  0.000000 0 0 OTH F 0 h 0 0 1 48 
-1300475168.724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp  0.119905 525 232 S1 F 525 ShACad 3 164 3 396 
-1300475168.855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp  0.219720 1125 734 S1 F 1125 ShACad 4 216 4 950 
+1300475168.724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp http 0.119905 525 232 S1 F 0 ShADad 4 741 3 396 
+1300475168.855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp http 0.219720 1125 734 S1 F 0 ShADad 6 1445 4 950 
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt
@ -65,17 +65,17 @@

 # Extent, type='http'
 ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
-1300475168.843894 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 0      0 0 304 Not Modified 0         
-1300475168.975800 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 0      0 0 304 Not Modified 0         
-1300475168.976327 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 0      0 0 304 Not Modified 0         
-1300475168.979160 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 0      0 0 304 Not Modified 0         
-1300475169.012666 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 0      0 0 304 Not Modified 0         
-1300475169.012730 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 0      0 0 304 Not Modified 0         
-1300475169.014860 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 0      0 0 304 Not Modified 0         
-1300475169.022665 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 0      0 0 304 Not Modified 0         
-1300475169.036294 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 0      0 0 304 Not Modified 0         
-1300475169.036798 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 0      0 0 304 Not Modified 0         
-1300475169.039923 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 0      0 0 304 Not Modified 0         
-1300475169.074793 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 0      0 0 304 Not Modified 0         
-1300475169.074938 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 0      0 0 304 Not Modified 0         
-1300475169.075065 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 0      0 0 304 Not Modified 0         
+1300475168.784020 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475168.916018 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475168.916183 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475168.918358 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475168.952307 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475168.952296 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475168.954820 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475168.962687 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475168.975934 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475168.976436 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475168.979264 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475169.014619 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475169.014593 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
+1300475169.014927 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0         
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
@ -0,0 +1,58 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2012-12-07-04-43-19
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1354328870.191989	UWkUyAuUGXf	128.2.6.136	46562	173.194.75.103	80	1	OPTIONS	www.google.com	*	-	-	0	962	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328874.237327	arKYeMETxOg	128.2.6.136	46563	173.194.75.103	80	1	OPTIONS	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328874.299063	k6kgXLOoSKl	128.2.6.136	46564	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328874.342591	nQcgTWjvg4c	128.2.6.136	46565	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328874.364020	j4u32Pc5bif	128.2.6.136	46566	173.194.75.103	80	1	GET	www.google.com	/	-	-	0	43911	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328878.470424	TEfuqmmG4bh	128.2.6.136	46567	173.194.75.103	80	1	GET	www.google.com	/	-	-	0	43983	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328882.575456	FrJExwHcSal	128.2.6.136	46568	173.194.75.103	80	1	GET	www.google.com	/HTTP/1.1	-	-	0	1207	403	Forbidden	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328882.928027	5OKnoww6xl4	128.2.6.136	46569	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328882.968948	3PKsZ2Uye21	128.2.6.136	46570	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328882.990373	VW0XPVINV8a	128.2.6.136	46571	173.194.75.103	80	1	GET	www.google.com	/	-	-	0	43913	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328887.114613	fRFu0wcOle6	128.2.6.136	46572	173.194.75.103	80	0	-	-	-	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.161077	qSsw6ESzHV4	128.2.6.136	46573	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.204740	iE6yhOq3SF	128.2.6.136	46574	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.245592	GSxOnSLghOa	128.2.6.136	46575	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.287655	qCaWGmzFtM5	128.2.6.136	46576	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.309065	70MGiRM1Qf4	128.2.6.136	46577	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328895.355012	h5DsfNtYzi1	128.2.6.136	46578	173.194.75.103	80	1	CCM_POST	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328895.416133	P654jzLoe3a	128.2.6.136	46579	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328895.459490	Tw8jXtpTGu6	128.2.6.136	46580	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328895.480865	c4Zw9TmAE05	128.2.6.136	46581	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328899.526682	EAr0uf4mhq	128.2.6.136	46582	173.194.75.103	80	1	CONNECT	www.google.com	/	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328903.572533	GvmoxJFXdTa	128.2.6.136	46583	173.194.75.103	80	1	CONNECT	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328903.634196	0Q4FH8sESw5	128.2.6.136	46584	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328903.676395	slFea8xwSmb	128.2.6.136	46585	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328903.697693	UfGkYA2HI2g	128.2.6.136	46586	173.194.75.103	80	1	CONNECT	www.google.com	/	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328907.743696	i2rO3KD1Syg	128.2.6.136	46587	173.194.75.103	80	1	TRACE	www.google.com	/	-	-	0	960	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328911.790590	2cx26uAvUPl	128.2.6.136	46588	173.194.75.103	80	1	TRACE	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328911.853464	BWaU4aSuwkc	128.2.6.136	46589	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328911.897044	10XodEwRycf	128.2.6.136	46590	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328911.918511	zno26fFZkrh	128.2.6.136	46591	173.194.75.103	80	1	TRACE	www.google.com	/	-	-	0	960	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328915.964678	v5rgkJBig5l	128.2.6.136	46592	173.194.75.103	80	1	DELETE	www.google.com	/	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328920.010458	eWZCH7OONC1	128.2.6.136	46593	173.194.75.103	80	1	DELETE	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328920.072101	0Pwk3ntf8O3	128.2.6.136	46594	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328920.114526	0HKorjr8Zp7	128.2.6.136	46595	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328920.136714	yC2d6kVg709	128.2.6.136	46596	173.194.75.103	80	1	DELETE	www.google.com	/	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.183211	VcgagLjnO92	128.2.6.136	46597	173.194.75.103	80	1	PUT	www.google.com	/	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.224567	bdRoHfaPBo3	128.2.6.136	46598	173.194.75.103	80	1	PUT	www.google.com	/HTTP/1.1	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.287402	zHqb7t7kv28	128.2.6.136	46599	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.328257	rrZWoMUQpv8	128.2.6.136	46600	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.350343	xNYSS2hJkle	128.2.6.136	46601	173.194.75.103	80	1	PUT	www.google.com	/	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.391728	vMVjlplKKbd	128.2.6.136	46602	173.194.75.103	80	1	POST	www.google.com	/	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.433150	3omNawSNrxj	128.2.6.136	46603	173.194.75.103	80	1	POST	www.google.com	/HTTP/1.1	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.496732	Rv8AJVfi9Zi	128.2.6.136	46604	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.537671	wEyF3OvvcQe	128.2.6.136	46605	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.559704	E490YZTUozc	128.2.6.136	46606	173.194.75.103	80	1	HEAD	www.google.com	/	-	-	0	0	200	OK	-	-	-	(empty)	-	-	-	-	-	-
+1354328928.625437	YIeWJmXWNWj	128.2.6.136	46607	173.194.75.103	80	1	HEAD	www.google.com	/	-	-	0	0	200	OK	-	-	-	(empty)	-	-	-	-	-	-
+1354328932.692706	ydiZblvsYri	128.2.6.136	46608	173.194.75.103	80	1	HEAD	www.google.com	/HTTP/1.1	-	-	0	0	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	-
+1354328932.754657	HFYOnBqSE5e	128.2.6.136	46609	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328932.796568	JcUvhfWUMgd	128.2.6.136	46610	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+#close	2012-12-07-04-43-19
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
@ -0,0 +1,58 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2012-12-07-04-43-19
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1354328874.278822	k6kgXLOoSKl	128.2.6.136	46564	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328874.299063	k6kgXLOoSKl	128.2.6.136	46564	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328874.321792	nQcgTWjvg4c	128.2.6.136	46565	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328874.342591	nQcgTWjvg4c	128.2.6.136	46565	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328882.908690	5OKnoww6xl4	128.2.6.136	46569	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328882.928027	5OKnoww6xl4	128.2.6.136	46569	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328882.949510	3PKsZ2Uye21	128.2.6.136	46570	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328882.968948	3PKsZ2Uye21	128.2.6.136	46570	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328887.094494	fRFu0wcOle6	128.2.6.136	46572	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328887.114613	fRFu0wcOle6	128.2.6.136	46572	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328891.141058	qSsw6ESzHV4	128.2.6.136	46573	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.161077	qSsw6ESzHV4	128.2.6.136	46573	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328891.183942	iE6yhOq3SF	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.204740	iE6yhOq3SF	128.2.6.136	46574	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328891.226199	GSxOnSLghOa	128.2.6.136	46575	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.245592	GSxOnSLghOa	128.2.6.136	46575	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328891.267625	qCaWGmzFtM5	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.287655	qCaWGmzFtM5	128.2.6.136	46576	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328891.309065	70MGiRM1Qf4	128.2.6.136	46577	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
+1354328895.355012	h5DsfNtYzi1	128.2.6.136	46578	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
+1354328895.396634	P654jzLoe3a	128.2.6.136	46579	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328895.416133	P654jzLoe3a	128.2.6.136	46579	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328895.438812	Tw8jXtpTGu6	128.2.6.136	46580	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328895.459490	Tw8jXtpTGu6	128.2.6.136	46580	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328895.480865	c4Zw9TmAE05	128.2.6.136	46581	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
+1354328903.614145	0Q4FH8sESw5	128.2.6.136	46584	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328903.634196	0Q4FH8sESw5	128.2.6.136	46584	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328903.656369	slFea8xwSmb	128.2.6.136	46585	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328903.676395	slFea8xwSmb	128.2.6.136	46585	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328911.832856	BWaU4aSuwkc	128.2.6.136	46589	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328911.853464	BWaU4aSuwkc	128.2.6.136	46589	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328911.876341	10XodEwRycf	128.2.6.136	46590	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328911.897044	10XodEwRycf	128.2.6.136	46590	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328920.052085	0Pwk3ntf8O3	128.2.6.136	46594	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328920.072101	0Pwk3ntf8O3	128.2.6.136	46594	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328920.094072	0HKorjr8Zp7	128.2.6.136	46595	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328920.114526	0HKorjr8Zp7	128.2.6.136	46595	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328924.266693	zHqb7t7kv28	128.2.6.136	46599	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328924.287402	zHqb7t7kv28	128.2.6.136	46599	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328924.308714	rrZWoMUQpv8	128.2.6.136	46600	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328924.328257	rrZWoMUQpv8	128.2.6.136	46600	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328924.476011	Rv8AJVfi9Zi	128.2.6.136	46604	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328924.496732	Rv8AJVfi9Zi	128.2.6.136	46604	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328924.518204	wEyF3OvvcQe	128.2.6.136	46605	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328924.537671	wEyF3OvvcQe	128.2.6.136	46605	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328932.734579	HFYOnBqSE5e	128.2.6.136	46609	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328932.754657	HFYOnBqSE5e	128.2.6.136	46609	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328932.776609	JcUvhfWUMgd	128.2.6.136	46610	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328932.796568	JcUvhfWUMgd	128.2.6.136	46610	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+#close	2012-12-07-04-43-19
--- a/testing/btest/Traces/http-methods.trace
+++ b/testing/btest/Traces/http-methods.trace
--- a/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap
--- a/testing/btest/Traces/wikipedia.trace
+++ b/testing/btest/Traces/wikipedia.trace
--- a/testing/btest/core/leaks/gtp_opt_header.test
+++ b/testing/btest/core/leaks/gtp_opt_header.test
@ -0,0 +1,15 @@
+# Needs perftools support.
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/tunnels/gtp/gtp6_gtp_0x32.pcap %INPUT >out
+
+# Some GTPv1 headers have some optional fields totaling to a 4-byte extension
+# of the mandatory header.
+
+event gtpv1_g_pdu_packet(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr)
+	{
+	print "gtpv1_packet", inner_gtp;
+	}
--- a/testing/btest/core/tunnels/gtp/different_dl_and_ul.test
+++ b/testing/btest/core/tunnels/gtp/different_dl_and_ul.test
@ -0,0 +1,10 @@
+# @TEST-EXEC: bro -C -r $TRACES/tunnels/gtp/gtp2_different_udp_port.pcap
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+# Uplink GTP tunnel uses src port 5906 and dst port 2152.
+# One side on port 2152 qualifies for GTP user plane.
+# The Downlink GTP tunnel uses port 2152 for both src and dst.
+# (checksums are incorrect because packets were anonymized and tcprewrite
+# seems to fail to correct the checksums when there's IP fragmentation).
--- a/testing/btest/core/tunnels/gtp/false_gtp.test
+++ b/testing/btest/core/tunnels/gtp/false_gtp.test
@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp3_false_gtp.pcap
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff dns.log
+# @TEST-EXEC: test ! -e tunnel.log
+
+# The fact that udp port 2152 on only one side already qualifies for GTP
+# increases the risk for false positives, see this trace. This is not a
+# GTP packet, but a DNS packet which just happens to use port 2152
--- a/testing/btest/core/tunnels/gtp/inner_ipv6.test
+++ b/testing/btest/core/tunnels/gtp/inner_ipv6.test
@ -0,0 +1,6 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp7_ipv6.pcap
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+# While the majority of user plane traffic inside the GTP tunnel is still IPv4,
+# there is sometimes already native IPv6.
--- a/testing/btest/core/tunnels/gtp/inner_teredo.test
+++ b/testing/btest/core/tunnels/gtp/inner_teredo.test
@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp8_teredo.pcap "Tunnel::delay_teredo_confirmation=F"
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+# GTP packets may carry Teredo packets.  Toggled the delay teredo confirmation
+# option so that it shows in the service field (in one case the inner
+# connection of the teredo packet is carried over differing outer connections).
--- a/testing/btest/core/tunnels/gtp/non_recursive.test
+++ b/testing/btest/core/tunnels/gtp/non_recursive.test
@ -0,0 +1,11 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp4_udp_2152_inside.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+# In telecoms there is never a GTP tunnel within another GTP tunnel.
+# So if we find inside a GTP tunnel anohter IP/UDP packet with port 2152,
+# it is just a UDP packet, but not another GTP tunnel.
+
+event protocol_violation(c: connection, atype: count, aid: count, reason: string)
+    {
+    print "protocol_violation", c$id, reason;
+    }
--- a/testing/btest/core/tunnels/gtp/not_user_plane_data.test
+++ b/testing/btest/core/tunnels/gtp/not_user_plane_data.test
@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp10_not_0xff.pcap
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: test ! -e tunnel.log
+
+# There are GTP tunnel packets, which do not contain user plane data. Only
+# those with gtp.message==0xff contain user plane data. Other GTP packets
+# without user plane data are echo request, echo reply, error indication
+# and stop marker (not included in trace). Those non-user plane GTP
+# packets are ignored for now.
--- a/testing/btest/core/tunnels/gtp/opt_header.test
+++ b/testing/btest/core/tunnels/gtp/opt_header.test
@ -0,0 +1,12 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp6_gtp_0x32.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+# Some GTPv1 headers have some optional fields totaling to a 4-byte extension
+# of the mandatory header.
+
+event gtpv1_g_pdu_packet(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr)
+    {
+    print "gtpv1_packet", inner_gtp;
+    }
--- a/testing/btest/core/tunnels/gtp/outer_ip_frag.test
+++ b/testing/btest/core/tunnels/gtp/outer_ip_frag.test
@ -0,0 +1,11 @@
+# @TEST-EXEC: bro -C -r $TRACES/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+# Normal GTP file, incl. TCP handshake and HTTP message.
+# The inner IP packet is put into a GTP tunnel and as the original user payload
+# is already 1500 byte, the tunneled packet incl. GTP/UDP/IP payload is
+# bigger than 1500 byte and thus the outer IP must be fragmented, as seen here.
+# (checksums are incorrect because packets were anonymized and tcprewrite
+# seems to fail to correct the checksums when there's IP fragmentation).
--- a/testing/btest/core/tunnels/gtp/unknown_or_too_short.test
+++ b/testing/btest/core/tunnels/gtp/unknown_or_too_short.test
@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -C -r $TRACES/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap
+# @TEST-EXEC: btest-diff dpd.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+# Packet 11, epoch time 1333458853.075889 is malformed. Only 222 byte are
+# captured, although according to the IP header a full packet should be
+# available. In Sessions.cc this throws a weird message at line 710.
+# Packet 12, epoch time 1333458853.075904 is malformed. The user plane
+# packet is no IPv4 nor IPv6 packet. Very probably this is a follow up
+# issue on a problem of the user plane packet before it was put into the
+# tunnel. The user plane packet may got corrupt and then put into 2 tunnel
+# packets, here packet 11 and 12, and in packet 12 the user plane data is
+# part of the remainder of the broken user plane packet of packet 11.
--- a/testing/btest/core/when-interpreter-exceptions.bro
+++ b/testing/btest/core/when-interpreter-exceptions.bro
@ -0,0 +1,67 @@
+# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/rotation.trace %INPUT
+# @TEST-EXEC: btest-bg-wait -k 3
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff bro/.stderr
+# @TEST-EXEC: btest-diff bro/.stdout
+
+# interpreter exceptions in "when" blocks shouldn't cause termination
+
+global p: pkt_hdr;
+
+function f(do_exception: bool): bool
+	{
+	return when ( local addrs = lookup_hostname("localhost") )
+		{
+		print "localhost resolved from f()", do_exception;
+		if ( do_exception )
+			print p$ip;
+		return T;
+		}
+	return F;
+	}
+
+function g(do_exception: bool): bool
+	{
+	return when ( local addrs = lookup_hostname("localhost") )
+		{
+		print "shouldn't get here, g()", do_exception;
+		}
+	timeout 0 sec
+		{
+		print "timeout g()", do_exception;
+		if ( do_exception )
+			print p$ip;
+		return T;
+		}
+	return F;
+	}
+
+event bro_init()
+	{
+	when ( local addrs = lookup_hostname("localhost") )
+		{
+		print "localhost resolved";
+		print p$ip;
+		}
+
+	when ( local addrs2 = lookup_hostname("localhost") )
+		{
+		print "shouldn't get here";
+		}
+	timeout 0 sec
+		{
+		print "timeout";
+		print p$ip;
+		}
+
+	when ( local b = f(T) )
+		print "f() exception done (shouldn't be printed)", b;
+
+	when ( local b2 = g(T) )
+		print "g() exception done (shouldn't be printed)", b2;
+
+	when ( local b3 = f(F) )
+		print "f() done, no exception", b3;
+
+	when ( local b4 = g(F) )
+		print "g() done, no exception", b4;
+	}
--- a/Show more
+++ b/Show more
 @ -1 +1 @@
 .1-195
 .1-231
				`@ -0,0 +1 @@`
				`protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [n\xd9'\|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80(]\xcew\x84\xae}\xd2...]`