From 7ede4f48bd009a3b8414eef67928019be1e5269c Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashoefer@gmail.com>
Date: Mon, 7 Sep 2020 20:46:14 +0200
Subject: [PATCH] Simplify packet analyzer config.

---
 scripts/base/init-bare.zeek                   | 28 +++--------
 .../base/packet-protocols/ethernet/main.zeek  | 26 +++++-----
 scripts/base/packet-protocols/fddi/main.zeek  |  6 ---
 .../packet-protocols/ieee802_11/main.zeek     | 16 +++---
 .../ieee802_11_radio/main.zeek                | 11 +++--
 scripts/base/packet-protocols/ip/main.zeek    | 11 +++--
 .../base/packet-protocols/linux_sll/main.zeek | 18 ++++---
 scripts/base/packet-protocols/nflog/main.zeek | 13 +++--
 scripts/base/packet-protocols/null/main.zeek  | 24 +++++----
 .../packet-protocols/ppp_serial/main.zeek     | 18 +++++--
 scripts/base/packet-protocols/pppoe/main.zeek | 11 +++--
 scripts/base/packet-protocols/root/main.zeek  | 20 ++++++++
 scripts/base/packet-protocols/vlan/main.zeek  | 21 +++++---
 src/DebugLogger.h                             | 38 +++++++-------
 src/packet_analysis/Analyzer.cc               | 41 ++++++++++------
 src/packet_analysis/Analyzer.h                | 24 ++++-----
 src/packet_analysis/Manager.cc                | 49 ++-----------------
 .../protocol/ethernet/Ethernet.cc             |  6 +--
 .../canonified_loaded_scripts.log             |  6 ++-
 .../canonified_loaded_scripts.log             |  6 ++-
 testing/btest/Baseline/plugins.hooks/output   | 17 ++++---
 .../plugins.packet-protocol/output_build      |  4 +-
 testing/btest/core/skip_analyzer.zeek         |  4 +-
 .../scripts/PacketDemo/LLCDemo/base/main.zeek |  4 +-
 .../PacketDemo/RawLayer/base/main.zeek        | 16 ++++--
 .../packet-protocol-plugin/src/LLCDemo.cc     |  2 +-
 .../packet-protocol-plugin/src/Plugin.cc      |  4 +-
 .../packet-protocol-plugin/src/RawLayer.cc    |  2 +-
 28 files changed, 233 insertions(+), 213 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index b89aa00f4c..b7a2b1b80c 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -5340,28 +5340,16 @@ event net_done(t: time)
 
 module PacketAnalyzer;
 
-## Defines a mapping for the PacketAnalyzer's configuration tree. This
-## maps from a parent analyzer to a child analyzer through a numeric
-## identifier.
 export {
-    type ConfigEntry : record {
-        ## The parent analyzer. This analyzer will check for the *identifier* in the
-        ## packet data to know whether to call the next analyzer. This field is optional.
-        ## If it is not included, the identifier will attach to the "root" analyzer. The
-        ## root analyzer uses the link layer identifier provided by the packet source to
-        ## determine the protocol for the initial packet header.
-        parent : PacketAnalyzer::Tag;
+	type DispatchEntry : record {
+		## The analyzer to dispatch.
+		analyzer : PacketAnalyzer::Tag;
+	};
 
-        ## A numeric identifier, which can be found in the packet data, that denotes the
-        ## encapsulated protocol. This field is optional. If it is not included, the
-        ## configured child analyzer will be used as default analyzer.
-        identifier : count;
-
-        ## The analyzer that corresponds to the above identifier.
-        analyzer : PacketAnalyzer::Tag;
-    };
-
-    const config_map : vector of PacketAnalyzer::ConfigEntry &redef;
+	## A packet analyzer may extract a numeric identifier, which can be found in the
+	## packet data and denotes the encapsulated protocol. A DispatchMap allows to map
+	## the identifier to a child analyzer, which is defined using a DispatchEntry.
+	type DispatchMap : table[count] of DispatchEntry;
 }
 
 @load base/packet-protocols
diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek
index 6723556708..6f1c31df90 100644
--- a/scripts/base/packet-protocols/ethernet/main.zeek
+++ b/scripts/base/packet-protocols/ethernet/main.zeek
@@ -10,19 +10,19 @@ export {
 	const novell_raw_analyzer: PacketAnalyzer::Tag &redef;
 	## IEEE 802.2 LLC analyzer
 	const llc_analyzer: PacketAnalyzer::Tag &redef;
+
+	## Identifier mappings based on EtherType
+	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
 }
 
-const DLT_EN10MB : count = 1;
-
-redef PacketAnalyzer::config_map += {
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE),
+redef dispatch_map += {
+	[0x8847] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_MPLS),
+	[0x0800] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4),
+	[0x86DD] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6),
+	[0x0806] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP),
+	[0x8035] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP),
+	[0x8100] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_VLAN),
+	[0x88A8] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_VLAN),
+	[0x9100] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_VLAN),
+	[0x8864] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_PPPOE)
 };
diff --git a/scripts/base/packet-protocols/fddi/main.zeek b/scripts/base/packet-protocols/fddi/main.zeek
index 30ab05331f..3104682102 100644
--- a/scripts/base/packet-protocols/fddi/main.zeek
+++ b/scripts/base/packet-protocols/fddi/main.zeek
@@ -4,9 +4,3 @@ export {
 	## Default analyzer
 	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
 }
-
-const DLT_FDDI : count = 10;
-
-redef PacketAnalyzer::config_map += {
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI),
-};
diff --git a/scripts/base/packet-protocols/ieee802_11/main.zeek b/scripts/base/packet-protocols/ieee802_11/main.zeek
index 292e26b34b..f46f89e377 100644
--- a/scripts/base/packet-protocols/ieee802_11/main.zeek
+++ b/scripts/base/packet-protocols/ieee802_11/main.zeek
@@ -1,11 +1,13 @@
 module PacketAnalyzer::IEEE802_11;
 
-const DLT_IEEE802_11 : count = 105;
+export {
+	## Identifier mappings based on EtherType
+	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+}
 
-redef PacketAnalyzer::config_map += {
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP)
+redef dispatch_map += {
+	[0x0800] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4),
+	[0x86DD] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6),
+	[0x0806] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP),
+	[0x8035] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP)
 };
diff --git a/scripts/base/packet-protocols/ieee802_11_radio/main.zeek b/scripts/base/packet-protocols/ieee802_11_radio/main.zeek
index 13c0cbe618..483a80acf0 100644
--- a/scripts/base/packet-protocols/ieee802_11_radio/main.zeek
+++ b/scripts/base/packet-protocols/ieee802_11_radio/main.zeek
@@ -1,9 +1,12 @@
 module PacketAnalyzer::IEEE802_11_RADIO;
 
-const DLT_IEEE802_11_RADIO : count = 127;
+export {
+	## Identifier mappings
+	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+}
+
 const DLT_IEEE802_11 : count = 105;
 
-redef PacketAnalyzer::config_map += {
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_IEEE802_11_RADIO, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, $identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11)
+redef dispatch_map += {
+	[DLT_IEEE802_11] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IEEE802_11)
 };
diff --git a/scripts/base/packet-protocols/ip/main.zeek b/scripts/base/packet-protocols/ip/main.zeek
index c7884db588..feb5fde73b 100644
--- a/scripts/base/packet-protocols/ip/main.zeek
+++ b/scripts/base/packet-protocols/ip/main.zeek
@@ -1,6 +1,11 @@
 module PacketAnalyzer::IP;
 
-redef PacketAnalyzer::config_map += {
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6)
+export {
+	## Identifier mappings based on IP version (4 or 6)
+	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+}
+
+redef dispatch_map += {
+	[4] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4),
+	[6] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6)
 };
diff --git a/scripts/base/packet-protocols/linux_sll/main.zeek b/scripts/base/packet-protocols/linux_sll/main.zeek
index ce693f6625..995c972ae6 100644
--- a/scripts/base/packet-protocols/linux_sll/main.zeek
+++ b/scripts/base/packet-protocols/linux_sll/main.zeek
@@ -1,12 +1,14 @@
-module PacketAnalyzer::LINUX_SLL;
+module PacketAnalyzer::LINUXSLL;
 
-const DLT_LINUX_SLL : count = 113;
+export {
+	## Identifier mappings based on EtherType
+	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+}
 
-redef PacketAnalyzer::config_map += {
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_LINUX_SLL, $analyzer=PacketAnalyzer::ANALYZER_LINUXSLL),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP),
+redef dispatch_map += {
+	[0x0800] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4),
+	[0x86DD] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6),
+	[0x0806] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP),
 	# RARP
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP)
+	[0x8035] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP)
 };
diff --git a/scripts/base/packet-protocols/nflog/main.zeek b/scripts/base/packet-protocols/nflog/main.zeek
index d5da9f47c8..cecc0d466b 100644
--- a/scripts/base/packet-protocols/nflog/main.zeek
+++ b/scripts/base/packet-protocols/nflog/main.zeek
@@ -1,11 +1,14 @@
 module PacketAnalyzer::NFLOG;
 
-const DLT_NFLOG : count = 239;
+export {
+	## Identifier mappings
+	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+}
+
 const AF_INET : count = 2;
 const AF_INET6 : count = 10;
 
-redef PacketAnalyzer::config_map += {
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_NFLOG, $analyzer=PacketAnalyzer::ANALYZER_NFLOG),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET6, $analyzer=PacketAnalyzer::ANALYZER_IPV6)
+redef dispatch_map += {
+	[AF_INET] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4),
+	[AF_INET6] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6)
 };
diff --git a/scripts/base/packet-protocols/null/main.zeek b/scripts/base/packet-protocols/null/main.zeek
index 35a4258f04..e1aff33dcd 100644
--- a/scripts/base/packet-protocols/null/main.zeek
+++ b/scripts/base/packet-protocols/null/main.zeek
@@ -1,19 +1,25 @@
 module PacketAnalyzer::NULL;
 
-const DLT_NULL : count = 0;
-const AF_INET : count = 2;
-const AF_INET6 : count = 10;
+export {
+	## Identifier mappings
+	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+}
 
-redef PacketAnalyzer::config_map += {
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_NULL, $analyzer=PacketAnalyzer::ANALYZER_NULL),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
+const DLT_NULL : count = 0;
+
+redef PacketAnalyzer::ROOT::dispatch_map += {
+	[DLT_NULL] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_NULL)
+};
+
+redef dispatch_map += {
+	[2] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4),
 	
 	## From the Wireshark Wiki: AF_INET6ANALYZER, unfortunately, has different values in
 	## {NetBSD,OpenBSD,BSD/OS}, {FreeBSD,DragonFlyBSD}, and {Darwin/Mac OS X}, so an IPv6
 	## packet might have a link-layer header with 24, 28, or 30 as the AF_ value. As we
 	## may be reading traces captured on platforms other than what we're running on, we
 	## accept them all here.
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=24, $analyzer=PacketAnalyzer::ANALYZER_IPV6),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=28, $analyzer=PacketAnalyzer::ANALYZER_IPV6),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=30, $analyzer=PacketAnalyzer::ANALYZER_IPV6)
+	[24] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6),
+	[28] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6),
+	[30] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6)
 };
diff --git a/scripts/base/packet-protocols/ppp_serial/main.zeek b/scripts/base/packet-protocols/ppp_serial/main.zeek
index 75d97706fe..4c2ba042c0 100644
--- a/scripts/base/packet-protocols/ppp_serial/main.zeek
+++ b/scripts/base/packet-protocols/ppp_serial/main.zeek
@@ -1,10 +1,18 @@
 module PacketAnalyzer::PPP_SERIAL;
 
+export {
+	## Identifier mappings
+	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+}
+
 const DLT_PPP_SERIAL : count = 50;
 
-redef PacketAnalyzer::config_map += {
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_PPP_SERIAL, $analyzer=PacketAnalyzer::ANALYZER_PPPSERIAL),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0281, $analyzer=PacketAnalyzer::ANALYZER_MPLS),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0021, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0057, $analyzer=PacketAnalyzer::ANALYZER_IPV6)
+redef PacketAnalyzer::ROOT::dispatch_map += {
+	[DLT_PPP_SERIAL] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_PPPSERIAL)
+};
+
+redef dispatch_map += {
+	[0x0281] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_MPLS),
+	[0x0021] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4),
+	[0x0057] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6)
 };
diff --git a/scripts/base/packet-protocols/pppoe/main.zeek b/scripts/base/packet-protocols/pppoe/main.zeek
index 425b857f2c..f8e8f76d44 100644
--- a/scripts/base/packet-protocols/pppoe/main.zeek
+++ b/scripts/base/packet-protocols/pppoe/main.zeek
@@ -1,6 +1,11 @@
 module PacketAnalyzer::PPPOE;
 
-redef PacketAnalyzer::config_map += {
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPOE, $identifier=0x0021, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPOE, $identifier=0x0057, $analyzer=PacketAnalyzer::ANALYZER_IPV6)
+export {
+	## Identifier mappings
+	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+}
+
+redef dispatch_map += {
+	[0x0021] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4),
+	[0x0057] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6)
 };
diff --git a/scripts/base/packet-protocols/root/main.zeek b/scripts/base/packet-protocols/root/main.zeek
index 09edcc97b4..a53788804f 100644
--- a/scripts/base/packet-protocols/root/main.zeek
+++ b/scripts/base/packet-protocols/root/main.zeek
@@ -3,4 +3,24 @@ module PacketAnalyzer::ROOT;
 export {
 	## Default analyzer (if we don't know the link type, we assume raw IP)
 	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
+
+	## Identifier mappings based on link type
+	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
 }
+
+const DLT_EN10MB : count = 1;
+const DLT_FDDI : count = 10;
+const DLT_IEEE802_11 : count = 105;
+const DLT_IEEE802_11_RADIO : count = 127;
+const DLT_LINUX_SLL : count = 113;
+const DLT_NFLOG : count = 239;
+
+redef dispatch_map += {
+	[DLT_EN10MB] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ETHERNET),
+	[DLT_FDDI] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_FDDI),
+	[DLT_IEEE802_11] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IEEE802_11),
+	[DLT_IEEE802_11_RADIO] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO),
+	[DLT_LINUX_SLL] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_LINUXSLL),
+	[DLT_NFLOG] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_NFLOG)
+
+};
diff --git a/scripts/base/packet-protocols/vlan/main.zeek b/scripts/base/packet-protocols/vlan/main.zeek
index 927f381acf..7f564cfa0d 100644
--- a/scripts/base/packet-protocols/vlan/main.zeek
+++ b/scripts/base/packet-protocols/vlan/main.zeek
@@ -1,11 +1,16 @@
 module PacketAnalyzer::VLAN;
 
-redef PacketAnalyzer::config_map += {
-   PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS),
-   PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
-   PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6),
-   PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP),
-   PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP),
-   PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN),
-   PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE)
+export {
+	## Identifier mappings based on EtherType
+	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+}
+
+redef dispatch_map += {
+   [0x8847] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_MPLS),
+   [0x0800] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4),
+   [0x86DD] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6),
+   [0x0806] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP),
+   [0x8035] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP),
+   [0x8100] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_VLAN),
+   [0x8864] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_PPPOE)
 };
diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index 1005c367a6..f7c3a04e55 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -30,26 +30,26 @@ namespace zeek {
 // an entry to DebugLogger::streams in DebugLogger.cc.
 
 enum DebugStream {
-	DBG_SERIAL,     // Serialization
-	DBG_RULES,      // Signature matching
-	DBG_STRING,     // String code
-	DBG_NOTIFIERS,  // Notifiers
-	DBG_MAINLOOP,   // Main IOSource loop
-	DBG_ANALYZER,   // Analyzer framework
-	DBG_PACKET_ANALYSIS,  // Packet analysis
-	DBG_FILE_ANALYSIS,    // File analysis
-	DBG_TM,         // Time-machine packet input via Brocolli
-	DBG_LOGGING,    // Logging streams
-	DBG_INPUT,      // Input streams
-	DBG_THREADING,  // Threading system
-	DBG_PLUGINS,    // Plugin system
-	DBG_ZEEKYGEN,   // Zeekygen
-	DBG_PKTIO,      // Packet sources and dumpers.
-	DBG_BROKER,     // Broker communication
-	DBG_SCRIPTS,    // Script initialization
-	DBG_SUPERVISOR, // Process supervisor
+	DBG_SERIAL,		// Serialization
+	DBG_RULES,		// Signature matching
+	DBG_STRING,		// String code
+	DBG_NOTIFIERS,	// Notifiers
+	DBG_MAINLOOP,	// Main IOSource loop
+	DBG_ANALYZER,	// Analyzer framework
+	DBG_PACKET_ANALYSIS,	// Packet analysis
+	DBG_FILE_ANALYSIS,		// File analysis
+	DBG_TM,			// Time-machine packet input via Brocolli
+	DBG_LOGGING,	// Logging streams
+	DBG_INPUT,		// Input streams
+	DBG_THREADING,	// Threading system
+	DBG_PLUGINS,	// Plugin system
+	DBG_ZEEKYGEN,	// Zeekygen
+	DBG_PKTIO,		// Packet sources and dumpers.
+	DBG_BROKER,		// Broker communication
+	DBG_SCRIPTS,	// Script initialization
+	DBG_SUPERVISOR,	// Process supervisor
 
-	NUM_DBGS // Has to be last
+	NUM_DBGS	// Has to be last
 };
 
 namespace detail {
diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc
index 12b446738f..9587423ea2 100644
--- a/src/packet_analysis/Analyzer.cc
+++ b/src/packet_analysis/Analyzer.cc
@@ -29,14 +29,37 @@ void Analyzer::Init(const Tag& _tag)
 
 void Analyzer::Initialize()
 	{
-	std::string ns = util::fmt("PacketAnalyzer::%s::", GetAnalyzerName());
+	default_analyzer = LoadAnalyzer("default_analyzer");
 
-	default_analyzer = LoadAnalyzer(ns +"default_analyzer");
+	// Create dispatcher based on configuration
+	auto& mapping_id = zeek::id::find(GetModuleName() + "dispatch_map");
+	if ( ! mapping_id )
+		return;
+
+	auto mapping_val = mapping_id->GetVal()->AsTableVal();
+	auto mapping_tbl = mapping_val->AsTable();
+	auto c = mapping_tbl->InitForIteration();
+
+	zeek::detail::HashKey* k = nullptr;
+	TableEntryVal* v;
+	while ( (v = mapping_tbl->NextEntry(k, c)) )
+		{
+		auto key = mapping_val->RecreateIndex(*k);
+		delete k;
+
+		auto identifier = key->Idx(0)->AsCount();
+		auto config_entry_val = v->GetVal()->AsRecordVal();
+
+		auto mapped_tag = config_entry_val->GetField("analyzer")->AsEnumVal();
+		auto mapped_analyzer = packet_mgr->GetAnalyzer(mapped_tag);
+
+		dispatcher.Register(identifier, std::move(mapped_analyzer));
+		}
 	}
 
 zeek::packet_analysis::AnalyzerPtr Analyzer::LoadAnalyzer(const std::string &name)
 	{
-	auto& analyzer = zeek::id::find(name);
+	auto& analyzer = zeek::id::find(GetModuleName() + name);
 	if ( ! analyzer )
 		return nullptr;
 
@@ -65,16 +88,6 @@ bool Analyzer::IsAnalyzer(const char* name)
 	return packet_mgr->GetComponentName(tag) == name;
 	}
 
-void Analyzer::RegisterAnalyzerMapping(uint32_t identifier, AnalyzerPtr analyzer)
-	{
-	dispatcher.Register(identifier, std::move(analyzer));
-	}
-
-void Analyzer::RegisterDefaultAnalyzer(AnalyzerPtr default_analyzer)
-	{
-	this->default_analyzer = std::move(default_analyzer);
-	}
-
 AnalyzerPtr Analyzer::Lookup(uint32_t identifier) const
 	{
 	return dispatcher.Lookup(identifier);
@@ -114,7 +127,7 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) co
 void Analyzer::DumpDebug() const
 	{
 #ifdef DEBUG
-	DBG_LOG(DBG_PACKET_ANALYSIS, "Debug info for %s", this->GetAnalyzerName());
+	DBG_LOG(DBG_PACKET_ANALYSIS, "Dispatcher for %s", this->GetAnalyzerName());
 	dispatcher.DumpDebug();
 #endif
 	}
diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h
index 8331784954..241787135e 100644
--- a/src/packet_analysis/Analyzer.h
+++ b/src/packet_analysis/Analyzer.h
@@ -63,21 +63,6 @@ public:
 	 */
 	bool IsAnalyzer(const char* name);
 
-	/**
-	 * Registers an analyzer to be dispatched for the given identifier.
-	 *
-	 * @param identifier The identifier an analyzer should be called for.
-	 * @param analyzer The analyzer that should be called.
-	 */
-	void RegisterAnalyzerMapping(uint32_t identifier, AnalyzerPtr analyzer);
-
-	/**
-	 * Registers a default analyzer.
-	 *
-	 * @param default_analyzer The analyzer to use as default.
-	 */
-	void RegisterDefaultAnalyzer(AnalyzerPtr default_analyzer);
-
 	/**
 	 * Analyzes the given packet. A common case is that the analyzed protocol
 	 * encapsulates another protocol, which can be determined by an identifier
@@ -119,6 +104,15 @@ protected:
 	 */
 	AnalyzerPtr LoadAnalyzer(const std::string& name);
 
+	/**
+	 * Returns the module name corresponding to the analyzer, i.e. its script-land
+	 * namespace. Configuration values for the analyzer are expected in this module.
+	 * @return Analyzer's module name.
+	 */
+	std::string GetModuleName() const {
+		return util::fmt("PacketAnalyzer::%s::", GetAnalyzerName());
+	};
+
 	/**
 	 * Triggers analysis of the encapsulated packet. The encapsulated protocol
 	 * is determined using the given identifier.
diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc
index 5a7251d8ad..62574e7f8f 100644
--- a/src/packet_analysis/Manager.cc
+++ b/src/packet_analysis/Manager.cc
@@ -21,48 +21,6 @@ void Manager::InitPostScript()
 			analyzers.emplace(analyzerComponent->Name(), newAnalyzer);
 		}
 
-	// Read in analyzer map and create dispatchers
-	auto& analyzer_mapping = zeek::id::find("PacketAnalyzer::config_map");
-	if ( ! analyzer_mapping )
-		return;
-
-	auto mapping_val = analyzer_mapping->GetVal()->AsVectorVal();
-	if ( mapping_val->Size() == 0 )
-		return;
-
-	for ( unsigned int i = 0; i < mapping_val->Size(); i++ )
-		{
-		auto* rv = mapping_val->At(i)->AsRecordVal();
-		//TODO: Make that field a string for usability reasons
-		//TODO: Check error handling when fields are omitted
-		auto& parent_val = rv->GetField("parent");
-		std::string parent_name = Lookup(parent_val->AsEnumVal())->Name();
-		auto& identifier_val = rv->GetField("identifier");
-		auto analyzer_tag = rv->GetField("analyzer")->AsEnumVal();
-		auto analyzer_name = Lookup(analyzer_tag)->Name();
-
-		auto analyzer_it = analyzers.find(analyzer_name);
-		if ( analyzer_it == analyzers.end() )
-			{
-			reporter->InternalWarning("Mapped analyzer %s not found.", analyzer_name.c_str());
-			continue;
-			}
-		auto& analyzer = analyzer_it->second;
-
-		auto parent_analyzer_it = analyzers.find(parent_name);
-		if ( parent_analyzer_it == analyzers.end() )
-			{
-			reporter->InternalWarning("Parent analyzer %s not found.", parent_name.c_str());
-			continue;
-			}
-		auto& parent_analyzer = parent_analyzer_it->second;
-
-		if ( identifier_val )
-			parent_analyzer->RegisterAnalyzerMapping(identifier_val->AsCount(), analyzer);
-		else
-			parent_analyzer->RegisterDefaultAnalyzer(analyzer);
-		}
-
 	// Initialize all analyzers
 	for ( auto& [name, analyzer] : analyzers )
 		analyzer->Initialize();
@@ -79,12 +37,11 @@ void Manager::DumpDebug()
 #ifdef DEBUG
 	DBG_LOG(DBG_PACKET_ANALYSIS, "Available packet analyzers after zeek_init():");
 	for ( auto& current : GetComponents() )
-		{
 		DBG_LOG(DBG_PACKET_ANALYSIS, "    %s", current->Name().c_str());
-		}
 
-	DBG_LOG(DBG_PACKET_ANALYSIS, "Root dispatcher:");
-	root_analyzer->DumpDebug();
+	DBG_LOG(DBG_PACKET_ANALYSIS, "Packet analyzer debug information:");
+	for ( auto& [name, analyzer] : analyzers )
+		analyzer->DumpDebug();
 #endif
 	}
 
diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc
index 998eb3498f..68dd5b935f 100644
--- a/src/packet_analysis/protocol/ethernet/Ethernet.cc
+++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc
@@ -15,9 +15,9 @@ void EthernetAnalyzer::Initialize()
 	{
 	Analyzer::Initialize();
 
-	SNAPAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::snap_analyzer");
-	NovellRawAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::novell_raw_analyzer");
-	LLCAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::llc_analyzer");
+	SNAPAnalyzer = LoadAnalyzer("snap_analyzer");
+	NovellRawAnalyzer = LoadAnalyzer("novell_raw_analyzer");
+	LLCAnalyzer = LoadAnalyzer("llc_analyzer");
 	}
 
 bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 23a92ba95e..8af64df840 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2020-09-01-11-19-11
+#open	2020-09-08-08-14-03
 #fields	name
 #types	string
 scripts/base/init-bare.zeek
@@ -20,6 +20,8 @@ scripts/base/init-bare.zeek
   build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek
   build/scripts/base/bif/event.bif.zeek
   scripts/base/packet-protocols/__load__.zeek
+    scripts/base/packet-protocols/root/__load__.zeek
+      scripts/base/packet-protocols/root/main.zeek
     scripts/base/packet-protocols/ip/__load__.zeek
       scripts/base/packet-protocols/ip/main.zeek
     scripts/base/packet-protocols/skip/__load__.zeek
@@ -214,4 +216,4 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek
 scripts/policy/misc/loaded-scripts.zeek
   scripts/base/utils/paths.zeek
-#close	2020-09-01-11-19-11
+#close	2020-09-08-08-14-03
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index f45aefe579..c38a701e86 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2020-09-22-17-11-19
+#open	2020-09-22-17-14-48
 #fields	name
 #types	string
 scripts/base/init-bare.zeek
@@ -20,6 +20,8 @@ scripts/base/init-bare.zeek
   build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek
   build/scripts/base/bif/event.bif.zeek
   scripts/base/packet-protocols/__load__.zeek
+    scripts/base/packet-protocols/root/__load__.zeek
+      scripts/base/packet-protocols/root/main.zeek
     scripts/base/packet-protocols/ip/__load__.zeek
       scripts/base/packet-protocols/ip/main.zeek
     scripts/base/packet-protocols/skip/__load__.zeek
@@ -410,4 +412,4 @@ scripts/base/init-default.zeek
   scripts/base/misc/find-filtered-trace.zeek
   scripts/base/misc/version.zeek
 scripts/policy/misc/loaded-scripts.zeek
-#close	2020-09-22-17-11-19
+#close	2020-09-22-17-14-48
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index d6524ea28e..1dec4d4ae8 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -283,7 +283,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -464,7 +464,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -894,6 +894,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/reporter) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/reporter.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/rfb) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/root) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/signatures) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/sip) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/site.zeek) -> -1
@@ -1227,7 +1228,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1408,7 +1409,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1838,6 +1839,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/reporter)
 0.000000   MetaHookPre   LoadFile(0, base<...>/reporter.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/rfb)
+0.000000   MetaHookPre   LoadFile(0, base<...>/root)
 0.000000   MetaHookPre   LoadFile(0, base<...>/signatures)
 0.000000   MetaHookPre   LoadFile(0, base<...>/sip)
 0.000000   MetaHookPre   LoadFile(0, base<...>/site.zeek)
@@ -2170,7 +2172,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2351,7 +2353,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2793,6 +2795,7 @@
 0.000000 | HookLoadFile  base<...>/reporter
 0.000000 | HookLoadFile  base<...>/reporter.bif.zeek
 0.000000 | HookLoadFile  base<...>/rfb
+0.000000 | HookLoadFile  base<...>/root
 0.000000 | HookLoadFile  base<...>/signatures
 0.000000 | HookLoadFile  base<...>/sip
 0.000000 | HookLoadFile  base<...>/site.zeek
@@ -2825,7 +2828,7 @@
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLoadFile  base<...>/zeek.bif.zeek
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent filter_change_tracking()
 0.000000 | HookQueueEvent zeek_init()
diff --git a/testing/btest/Baseline/plugins.packet-protocol/output_build b/testing/btest/Baseline/plugins.packet-protocol/output_build
index 9762ab88f0..a5aa53185b 100644
--- a/testing/btest/Baseline/plugins.packet-protocol/output_build
+++ b/testing/btest/Baseline/plugins.packet-protocol/output_build
@@ -1,6 +1,6 @@
 PacketDemo::Bar - Demo packet analyzers (RawLayer, LLC). (dynamic, version 1.0.0)
-    [Packet Analyzer] LLCDemo (ANALYZER_LLCDEMO)
-    [Packet Analyzer] RawLayer (ANALYZER_RAWLAYER)
+    [Packet Analyzer] LLC_Demo (ANALYZER_LLC_DEMO)
+    [Packet Analyzer] Raw_Layer (ANALYZER_RAW_LAYER)
     [Event] raw_layer_message
     [Event] llc_demo_message
 
diff --git a/testing/btest/core/skip_analyzer.zeek b/testing/btest/core/skip_analyzer.zeek
index 9a152a9d4c..62652d0373 100644
--- a/testing/btest/core/skip_analyzer.zeek
+++ b/testing/btest/core/skip_analyzer.zeek
@@ -7,8 +7,8 @@
 @load base/protocols/conn
 @load base/frameworks/tunnels
 
-redef PacketAnalyzer::config_map += {
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP)
+redef PacketAnalyzer::ROOT::dispatch_map += {
+	[1] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_SKIP)
 };
 
 redef PacketAnalyzer::SKIP::skip_bytes: count = 38;
diff --git a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/LLCDemo/base/main.zeek b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/LLCDemo/base/main.zeek
index 46f5dba9f7..6269c4ff99 100644
--- a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/LLCDemo/base/main.zeek
+++ b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/LLCDemo/base/main.zeek
@@ -1,3 +1,3 @@
-module Packet_LLC_Demo;
+module PacketAnalyzer::LLC_DEMO;
 
-redef PacketAnalyzer::Ethernet::llc_analyzer = PacketAnalyzer::ANALYZER_LLCDEMO;
\ No newline at end of file
+redef PacketAnalyzer::ETHERNET::llc_analyzer = PacketAnalyzer::ANALYZER_LLC_DEMO;
\ No newline at end of file
diff --git a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/RawLayer/base/main.zeek b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/RawLayer/base/main.zeek
index b8c567836a..be32149e59 100644
--- a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/RawLayer/base/main.zeek
+++ b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/RawLayer/base/main.zeek
@@ -1,6 +1,14 @@
-module Packet_Raw_Layer;
+module PacketAnalyzer::RAW_LAYER;
 
-redef PacketAnalyzer::config_map += {
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88B5, $analyzer=PacketAnalyzer::ANALYZER_RAWLAYER),
-	PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_RAWLAYER, $identifier=0x4950, $analyzer=PacketAnalyzer::ANALYZER_IP)
+export {
+	## Identifier mapping
+	const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef;
+}
+
+redef PacketAnalyzer::ETHERNET::dispatch_map += {
+	[0x88B5] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_RAW_LAYER)
+};
+
+redef dispatch_map += {
+	[0x4950] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP)
 };
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc
index 391a2811f9..f8bc8be53f 100644
--- a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc
+++ b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc
@@ -6,7 +6,7 @@
 using namespace zeek::packet_analysis::PacketDemo;
 
 LLCDemo::LLCDemo()
-	: zeek::packet_analysis::Analyzer("LLCDemo")
+	: zeek::packet_analysis::Analyzer("LLC_Demo")
 	{
 	}
 
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc
index 55a814a150..af88a438fa 100644
--- a/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc
@@ -10,9 +10,9 @@ class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure()
 		{
-		AddComponent(new zeek::packet_analysis::Component("RawLayer",
+		AddComponent(new zeek::packet_analysis::Component("Raw_Layer",
 		                 zeek::packet_analysis::PacketDemo::RawLayer::Instantiate));
-		AddComponent(new zeek::packet_analysis::Component("LLCDemo",
+		AddComponent(new zeek::packet_analysis::Component("LLC_Demo",
 		                 zeek::packet_analysis::PacketDemo::LLCDemo::Instantiate));
 
 		zeek::plugin::Configuration config;
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc
index 800879b2bc..a1bb9af237 100644
--- a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc
+++ b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc
@@ -6,7 +6,7 @@
 using namespace zeek::packet_analysis::PacketDemo;
 
 RawLayer::RawLayer()
-	: zeek::packet_analysis::Analyzer("RawLayer")
+	: zeek::packet_analysis::Analyzer("Raw_Layer")
 	{
 	}