From 83f385b2b02f8c00cbaee4e65a268154fa6a05c1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@ncsa.illinois.edu>
Date: Tue, 19 Jun 2012 12:59:38 -0500
Subject: [PATCH] Make Teredo bubble packet parsing more lenient.

Teredo bubble packets (IPv6 w/ No Next Header and zero Payload Length)
with data extending past the inner IPv6 header (the outer IPv4 header's
Total Length and UDP header's Length indicate this) now only raises
a "Teredo_payload_len_mismatch" weird instead of causing a
ProtocolViolation().

This also fixes a crash in NetSessions::ParseIPPacket() that occurred
when the packet length didn't match the payload length field.
---
 src/Sessions.cc                               |   5 +-
 src/Sessions.h                                |   9 +-
 src/Teredo.cc                                 |  44 +++++++---
 src/ayiya-analyzer.pac                        |   3 +
 .../core.tunnels.false-teredo/dpd.log         |  13 +++
 .../core.tunnels.false-teredo/weird.log       |   6 --
 .../conn.log                                  |  14 +++
 .../http.log                                  |   9 ++
 .../output                                    |  83 ++++++++++++++++++
 .../tunnel.log                                |  13 +++
 .../weird.log                                 |   9 ++
 .../tunnels/teredo_bubble_with_payload.pcap   | Bin 0 -> 15606 bytes
 testing/btest/core/tunnels/false-teredo.bro   |   1 +
 .../tunnels/teredo_bubble_with_payload.test   |  36 ++++++++
 14 files changed, 219 insertions(+), 26 deletions(-)
 create mode 100644 testing/btest/Baseline/core.tunnels.false-teredo/dpd.log
 create mode 100644 testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
 create mode 100644 testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log
 create mode 100644 testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/output
 create mode 100644 testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/tunnel.log
 create mode 100644 testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log
 create mode 100644 testing/btest/Traces/tunnels/teredo_bubble_with_payload.pcap
 create mode 100644 testing/btest/core/tunnels/teredo_bubble_with_payload.test

diff --git a/src/Sessions.cc b/src/Sessions.cc
index 330d39605d..6f42e5726b 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -574,6 +574,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 
 		if ( result != 0 )
 			{
+			delete inner;
 			Remove(f);
 			return;
 			}
@@ -774,11 +775,7 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
 		reporter->InternalError("Bad IP protocol version in DoNextInnerPacket");
 
 	if ( (uint32)caplen != inner->TotalLen() )
-		{
-		delete inner;
-		inner = 0;
 		return (uint32)caplen < inner->TotalLen() ? -1 : 1;
-		}
 
 	return 0;
 	}
diff --git a/src/Sessions.h b/src/Sessions.h
index 245cd4cbf6..a7d7b1272f 100644
--- a/src/Sessions.h
+++ b/src/Sessions.h
@@ -168,11 +168,14 @@ public:
 	 * @param proto Either IPPROTO_IPV6 or IPPROTO_IPV4 to indicate which IP
 	 *        protocol \a pkt corresponds to.
 	 * @param inner The inner IP packet wrapper pointer to be allocated/assigned
-	 *        if \a pkt looks like a valid IP packet.
-	 * @return 0 If the inner IP packet appeared valid in which case the caller
-	 *         is responsible for deallocating \a inner, else -1 if \a caplen
+	 *        if \a pkt looks like a valid IP packet or at least long enough
+	 *        to hold an IP header.
+	 * @return 0 If the inner IP packet appeared valid, else -1 if \a caplen
 	 *         is greater than the supposed IP packet's payload length field or
 	 *         1 if \a caplen is less than the supposed packet's payload length.
+	 *         In the -1 case, \a inner may still be non-null if \a caplen was
+	 *         long enough to be an IP header, and \a inner is always non-null
+	 *         for other return values.
 	 */
 	int ParseIPPacket(int caplen, const u_char* const pkt, int proto,
 	                  IP_Hdr*& inner);
diff --git a/src/Teredo.cc b/src/Teredo.cc
index ac68bdbed1..54676c3255 100644
--- a/src/Teredo.cc
+++ b/src/Teredo.cc
@@ -78,12 +78,9 @@ bool TeredoEncapsulation::DoParse(const u_char* data, int& len,
 			return false;
 			}
 
-		if ( len - 40 != ntohs(((const struct ip6_hdr*)data)->ip6_plen) )
-			{
-			Weird("Teredo_payload_len_mismatch");
-			return false;
-			}
-
+		// There's at least a possible IPv6 header, we'll decide what to do
+		// later if the payload length field doesn't match the actual length
+		// of the packet.
 		inner_ip = data;
 		return true;
 		}
@@ -160,7 +157,21 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 	IP_Hdr* inner = 0;
 	int rslt = sessions->ParseIPPacket(len, te.InnerIP(), IPPROTO_IPV6, inner);
 
-	if ( rslt == 0 )
+	if ( rslt > 0 )
+		{
+		if ( inner->NextProto() == IPPROTO_NONE && inner->PayloadLen() == 0 )
+			// Teredo bubbles having data after IPv6 header isn't strictly a
+			// violation, but a little weird.
+			Weird("Teredo_bubble_with_payload");
+		else
+			{
+			delete inner;
+			ProtocolViolation("Teredo payload length", (const char*) data, len);
+			return;
+			}
+		}
+
+	if ( rslt == 0 || rslt > 0 )
 		{
 		if ( BifConst::Tunnel::yielding_teredo_decapsulation &&
 		     ! ProtocolConfirmed() )
@@ -174,12 +185,20 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 				LOOP_OVER_GIVEN_CONST_CHILDREN(i, Parent()->GetChildren())
 					{
 					if ( (*i)->ProtocolConfirmed() )
+						{
 						sibling_has_confirmed = true;
+						break;
+						}
 					}
 				}
 
 			if ( ! sibling_has_confirmed )
 				ProtocolConfirmation();
+			else
+				{
+				delete inner;
+				return;
+				}
 			}
 		else
 			{
@@ -188,13 +207,12 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 			}
 		}
 
-	else if ( rslt < 0 )
-		ProtocolViolation("Truncated Teredo", (const char*) data, len);
-
 	else
-		ProtocolViolation("Teredo payload length", (const char*) data, len);
-
-	if ( rslt != 0 || ! ProtocolConfirmed() ) return;
+		{
+		delete inner;
+		ProtocolViolation("Truncated Teredo", (const char*) data, len);
+		return;
+		}
 
 	Val* teredo_hdr = 0;
 
diff --git a/src/ayiya-analyzer.pac b/src/ayiya-analyzer.pac
index 89d1143ad7..7a151453c1 100644
--- a/src/ayiya-analyzer.pac
+++ b/src/ayiya-analyzer.pac
@@ -70,7 +70,10 @@ flow AYIYA_Flow
 			    ${pdu.packet}.length());
 
 		if ( result != 0 )
+			{
+			delete inner;
 			return false;
+			}
 
 		EncapsulatingConn ec(c, BifEnum::Tunnel::AYIYA);
 
diff --git a/testing/btest/Baseline/core.tunnels.false-teredo/dpd.log b/testing/btest/Baseline/core.tunnels.false-teredo/dpd.log
new file mode 100644
index 0000000000..4949f16e62
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.false-teredo/dpd.log
@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+1258567191.486869	UWkUyAuUGXf	192.168.1.105	57696	192.168.1.1	53	udp	TEREDO	Teredo payload length [c\x1d\x81\x80\x00\x01\x00\x02\x00\x02\x00\x00\x04amch\x0equestionmarket\x03com\x00\x00\x01\x00...]
+1258578181.516140	nQcgTWjvg4c	192.168.1.104	64838	192.168.1.1	53	udp	TEREDO	Teredo payload length [h\xfd\x81\x80\x00\x01\x00\x02\x00\x03\x00\x02\x08football\x02uk\x07reuters\x03com\x00\x00\x01\x00...]
+1258579063.784919	j4u32Pc5bif	192.168.1.104	55778	192.168.1.1	53	udp	TEREDO	Teredo payload length [j\x12\x81\x80\x00\x01\x00\x02\x00\x04\x00\x00\x08fastflip\x0agooglelabs\x03com\x00\x00\x01\x00...]
+1258581768.898165	TEfuqmmG4bh	192.168.1.104	50798	192.168.1.1	53	udp	TEREDO	Teredo payload length [o\xe3\x81\x80\x00\x01\x00\x02\x00\x04\x00\x04\x03www\x0fnashuatelegraph\x03com\x00\x00\x01\x00...]
+1258584478.989528	FrJExwHcSal	192.168.1.104	64963	192.168.1.1	53	udp	TEREDO	Teredo payload length [e\xbd\x81\x80\x00\x01\x00\x08\x00\x06\x00\x06\x08wellness\x05blogs\x04time\x03com\x00\x00\x01\x00...]
+1258600683.934672	5OKnoww6xl4	192.168.1.103	59838	192.168.1.1	53	udp	TEREDO	Teredo payload length [h\xf0\x81\x80\x00\x01\x00\x01\x00\x02\x00\x00\x06update\x0csanasecurity\x03com\x00\x00\x01\x00...]
diff --git a/testing/btest/Baseline/core.tunnels.false-teredo/weird.log b/testing/btest/Baseline/core.tunnels.false-teredo/weird.log
index 989b7beede..0ec1d0a7cf 100644
--- a/testing/btest/Baseline/core.tunnels.false-teredo/weird.log
+++ b/testing/btest/Baseline/core.tunnels.false-teredo/weird.log
@@ -6,14 +6,8 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1258567191.405770	-	-	-	-	-	truncated_header_in_tunnel	-	F	bro
-1258567191.486869	UWkUyAuUGXf	192.168.1.105	57696	192.168.1.1	53	Teredo_payload_len_mismatch	-	F	bro
 1258578181.260420	-	-	-	-	-	truncated_header_in_tunnel	-	F	bro
-1258578181.516140	nQcgTWjvg4c	192.168.1.104	64838	192.168.1.1	53	Teredo_payload_len_mismatch	-	F	bro
 1258579063.557927	-	-	-	-	-	truncated_header_in_tunnel	-	F	bro
-1258579063.784919	j4u32Pc5bif	192.168.1.104	55778	192.168.1.1	53	Teredo_payload_len_mismatch	-	F	bro
 1258581768.568451	-	-	-	-	-	truncated_header_in_tunnel	-	F	bro
-1258581768.898165	TEfuqmmG4bh	192.168.1.104	50798	192.168.1.1	53	Teredo_payload_len_mismatch	-	F	bro
 1258584478.859853	-	-	-	-	-	truncated_header_in_tunnel	-	F	bro
-1258584478.989528	FrJExwHcSal	192.168.1.104	64963	192.168.1.1	53	Teredo_payload_len_mismatch	-	F	bro
 1258600683.934458	-	-	-	-	-	truncated_header_in_tunnel	-	F	bro
-1258600683.934672	5OKnoww6xl4	192.168.1.103	59838	192.168.1.1	53	Teredo_payload_len_mismatch	-	F	bro
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
new file mode 100644
index 0000000000..6ceb4efcb3
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
@@ -0,0 +1,14 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1340127577.354166	FrJExwHcSal	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	tcp	http	0.052829	1675	10467	S1	-	0	ShADad	10	2279	12	11191	j4u32Pc5bif
+1340127577.336558	UWkUyAuUGXf	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	0.010291	129	52	SF	-	0	Dd	2	185	1	80	(empty)
+1340127577.341510	j4u32Pc5bif	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	0.065485	2367	11243	SF	-	0	Dd	12	2703	13	11607	(empty)
+1340127577.339015	k6kgXLOoSKl	192.168.2.16	3797	65.55.158.81	3544	udp	teredo	-	-	-	SHR	-	0	d	0	0	1	137	(empty)
+1340127577.339015	nQcgTWjvg4c	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	0	-	1	88	0	0	k6kgXLOoSKl
+1340127577.343969	TEfuqmmG4bh	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.007778	4	4	OTH	-	0	-	1	52	1	52	UWkUyAuUGXf,j4u32Pc5bif
+1340127577.336558	arKYeMETxOg	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	UWkUyAuUGXf
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log
new file mode 100644
index 0000000000..869476d7db
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log
@@ -0,0 +1,9 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1340127577.361683	FrJExwHcSal	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	1	GET	ipv6.google.com	/	-	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	6640	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1340127577.379360	FrJExwHcSal	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	2	GET	ipv6.google.com	/search?hl=en&q=Wireshark+!&btnG=Google+Search	http://ipv6.google.com/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	25119	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/output b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/output
new file mode 100644
index 0000000000..02d5a41e74
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/output
@@ -0,0 +1,83 @@
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+    origin: [p=3797/udp, a=70.55.215.234]
+auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+    origin: [p=3797/udp, a=70.55.215.234]
+origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+    origin: [p=3797/udp, a=70.55.215.234]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=12, nxt=58, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+    origin: [p=32900/udp, a=83.170.1.38]
+origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+    origin: [p=32900/udp, a=83.170.1.38]
+bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+    origin: [p=32900/udp, a=83.170.1.38]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]]
+bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=12, nxt=58, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=24, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=24, nxt=6, hlim=245, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=817, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=514, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=898, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=812, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=717, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/tunnel.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/tunnel.log
new file mode 100644
index 0000000000..3f47321245
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/tunnel.log
@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
+#types	time	string	addr	port	addr	port	enum	enum
+1340127577.336558	UWkUyAuUGXf	192.168.2.16	3797	65.55.158.80	3544	Tunnel::DISCOVER	Tunnel::TEREDO
+1340127577.339015	k6kgXLOoSKl	192.168.2.16	3797	65.55.158.81	3544	Tunnel::DISCOVER	Tunnel::TEREDO
+1340127577.351747	j4u32Pc5bif	192.168.2.16	3797	83.170.1.38	32900	Tunnel::DISCOVER	Tunnel::TEREDO
+1340127577.406995	UWkUyAuUGXf	192.168.2.16	3797	65.55.158.80	3544	Tunnel::CLOSE	Tunnel::TEREDO
+1340127577.406995	j4u32Pc5bif	192.168.2.16	3797	83.170.1.38	32900	Tunnel::CLOSE	Tunnel::TEREDO
+1340127577.406995	k6kgXLOoSKl	192.168.2.16	3797	65.55.158.81	3544	Tunnel::CLOSE	Tunnel::TEREDO
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log
new file mode 100644
index 0000000000..e01fa49d45
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log
@@ -0,0 +1,9 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1340127577.346849	UWkUyAuUGXf	192.168.2.16	3797	65.55.158.80	3544	Teredo_bubble_with_payload	-	F	bro
+1340127577.349292	j4u32Pc5bif	192.168.2.16	3797	83.170.1.38	32900	Teredo_bubble_with_payload	-	F	bro
diff --git a/testing/btest/Traces/tunnels/teredo_bubble_with_payload.pcap b/testing/btest/Traces/tunnels/teredo_bubble_with_payload.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5036a52b5671fc6b284c2f7037cd9f59527b5645
GIT binary patch
literal 15606
zcmeHu1yEee*6yGIf;$1iAR$0-9o*gBbr@i9861L#K!5-Nf&~i%2(Ez;+&xHw6I?=Y
zhX9Y^-2CsH+*jwnw{E>x^{W0|)w}lY-MhclYj=OF_0colUYU&uKnDCeZf*bogxeea
z`UTZe8We!%?KQjrC=F(Z_W{Ji;^{y%fHVLA4Q~ek0`YKzS_%+x#rZPSu)knU0<`tL
z;ja(sK*jFUe0vTsgTG2DaC039zqow?a05TCZV>;t|Hm0I3{Xf3zee~+eIQ_;slJDS
z2yTWfGYa7K?K61!!+<}GxicezzZ?K?#&dMLH9;M23f3g{7l6AO<S%9b{?VNoybJa}
zn{)8EsmHwRck`YBsC3~?|2Xb_MnV=7yEFXu1g`_$juAfQe>AxB7Ah|aK<BmsUjE5j
za^W*@Z>5RDP1JmkK#%<;FciS;-){zQ4G<*y)#I;$0}<qIAHi$y4jT?mE^fFpvPDq<
zCbw1a@=qvg;j{mTZzA-r#0=gVQ{cZv2?TWdjk(pP!7YTNEh_v8?e5$E$@OaZop9GD
zCc{1PU#=H&egXgl_!etlPu-yc1OdOi>l}R@B2Jix|NB^fjm=)`Z#_77=RwiGda!c;
z7s~Iw{*L+!1<B;^#zY$q0C3_d$G|-RM+ywRolZhcukKJV1q6QoF2AD&0XqKTK@V#b
zfGq%USN`dH8HLZ^jfv?mW0E^SxI-gF4g9_L-_cP}0cw7}b~3jB05e1}Kx_^GfQXFT
z0snTSE`LJ){o5JQKEE4h&|k(Ww;yG8+Y^8k_4s$B-z@>Cp`g;{TY21~%bMX+UDH3k
zL;eIuuJJ(uSlxC5FaI=Vz3^{$V`llwn57QT&ETyG|K%~u-lBV|;Y!FoIRAsK#zIj5
zAxMC`@;fS$d-wtzH5up6s7U5p!)CXjNF4trDyf8Ay(s`7E3E}&1IlS>sj+dea$sS|
zIk~|EfKX=-URG--Cu@5ME7-{a3q#ut;>sd!4RO4EsO;newYN8C<6&h7GU!4bEuB2w
z1cBOuz<*o=RkVOStQ>+sh$D-(rXbMOLx6*o--3q`C<_7GIk9oFvxC^VIC(kQfih56
zh?SEU8y73P1rHX6I2a6ZzD0mRykKlLFb8{Pb7yCJDA*hZb#i3$g4aCp`n}e{UeHCD
zot2-NiH+&*3iPWZ7A12>Yj<;NhydIacQ<B;<6VRQLSm721Up$m9jyg`);>^YW=n{b
zy*Ui>U++uWn7g_`ZVi&xRAm8yc=%a3nB8GkETFq?_?Z8|<HN#Ggg~5G#O<LTw@_T{
z>{u9*PL7TcFx+ebpdI|7Is75K-pLMn+el4AT1Hr2N|=wA2gJt?w&1a{;$r7A=MvCT
z7Utk&=jY^N=ip`+Q2NIm4-Xd)NI>@XPC!!_CL;^h)>gDM(9*J(v9Si-dKlsWaj<~6
zIzWVBuI>;)pyqAYQtIO3;&R~Ila#lEqZKEguBN4f3rI(iPYR}PCnc%x>8!=;EiK0Z
z208PBU0tEBTB=-fZh9)5DyGh=U|kk15T`v@#oNPPTh3Y!s-xy+pzkWjtL12`?rJS5
zt*T_Jt*I*MYOf??!z0fwVJT}1b@K9YuyeE4b#=9ZDC@9z^I3RtXmKd1Nh(XJ>ay$F
zd9v%txag`nE8E*iNXofc!Z>xnZZ_uZww&xb&hqA-yx!J=K$TnDIoO45mGyO1?3{eu
z?8UjY%{AOXKHf5#O45#QAgHd654Wu4ty`_^Tyz|GEM+v=W!QaSV33WJy^4Z{y}gC0
zE<_)~uj|EY4$^nxQ+9Nf@p17q0Q*?$>F_{UG-NC!U0oIUEv>Y9tljwdl}tUjBs4AE
zA@bIys;XAD&YECN8!QYg3^);R#Qcc}ey1Qk+K4*}3jGTONgb%dm*g!G{I^v54+`@1
z^L4aT!zE`B`S}MC<i17$+(s^U<@b02g^)H9jw;vvXH*ox#snM{`SZVzYHA4p{GtHh
z?eYYwD&9_2bFdAB<#r;&T%GI%fX=Q^kGr)2ues#`7A<e*+ll;NOH~jE{$sTWYir4{
z+^)f2?f$yPurQ=<dl3N2xI&qM9K1kfb8k2z2*|-Bz{4)U0|Lq_Yhht%LR>u{uD8q5
z)9ruvqy%xahS>-JIr+Hw;h%@<1sdGV0K}UbeFx99I{fRVW{F39CVtTfGu}lUL%a@S
zgD0zNjtx%vd>>>30bc^y(F9GpZ?0nKoSij2`KTO+<%2tHGE!u@-r~LK5K?~kDtW<7
zKpwrDVNGcFmA5oW=~`9PtEkg+rpFK7%a(TavV7=}xOdLMs?auPDq?gpT)i2pnGw7B
zq$?*>iJ2!g!4D-sh`1Q@A?aif7MDqQRteQo0(}t&D}zcDzBQzo4h4&E@G|~dzDrWD
znTSh7QIA7}G+IT)F91B0hCcHQj|~s!D?c`3sx;V8saRMCId>yOFZeJ%DlI%Z#qt`I
zJv9)kdfz}pC79CRyQ9LoKy*2oMNS<@As&}1H;o#r#{hS<8$G(R0tYj$EshIeUq6T+
zG6e#Yx$GPZBCs4Hmvx!6{Y)Vsc+lx5BsA#shTS~*B>}#xY*w2ye+(2ic3{6;^aX|v
zq_vI-e=dhiwRm_khcQMDx{7k2Df51FsJT^!v~fbkQ*qbedQG>nb!MtebeX)Xtw&g1
zLJy+?SBS+#ty?0>KZyzn_c_HiLf!T!icn>@wXvXs0{gCGG-}E(PZ$L&?I45}?D_${
zipo^QIz9{L4Yfe@A1%T5*fcmKTf_}mo08NfZnP#*;cc}&FR;#dq!5g`gXogU1F0V=
z+5}?%%x{H)oOh7EIKrk~uYBx~y?Wy#31n?ZA39)BPM$1Uy@+3;$(cGMU1-(&=;&}N
zPWmjSa%moMU8G4`kJ0UO>qbXez+!fIFSNfU$jr;GJ<~rGWkpBN9LWNuaDq<l8#uiR
zhKUf7@tNBirJGEb;z7*@iS5iH&!q8*qyl0jo=Q9qND%i^%vXnt#PutQq2zqpc!BcH
z^b1ho7)CWyPWd#EQ)8OA@=}^)Jk4QpE_rV@;e2EtonIZJE!&V;bb{jur`ki>Pnr*E
zt)dn>C-56h@{qSep-%MnDw_8@ns&S@Q}o^&sVFpO@n^EOKB(oU)z_Fi{;~Q+?-J~I
zcv=?F(DZZJRPtcVX)53IB+P2S<oYQV+r9ku<@~ONBNz<RO|*&3j&6*1$kROWyiH2$
znU5zWd$U5ePD(aEpCoC5kLRH=mJW0M%=4`bJkpNmQIlv`)5dJbRII&z#IdGNn|y}M
z(zw)Mp0Wy5>m7T>!%_F~Qx}L<KYC=jQ}Qg^5|5W0;x`y=ZMN2bH6Q=tqlfbmth{vs
zL(~+(UZGHTV{csr#SecsX3h{#q&TD6PAf&1W^EN2DY-c+?)i)zPU6auy`$UveUsWu
z8-mOvfiC5n1$B1AJ~`<KNk(qaPvS)LG<)R6GsuWm7Kyo^Ln8*Q;wzuo@mbz593oV1
zn!#725NP6O+pX_ZV7GzuG$8wL8S}**V|M*#jA_U9i>H~|Zkd*9bb52+)UY$M8rf;^
ze2!Ajn$=kYFZ@{xl@4-|=&9uf)vzGnT>a&K^P9AQ`Kxx$+Meu1_lZ98IV5*V@d=7a
zFB`;yZ!o?g-lzDKl5(MQJiJ?<-Iv{zk(+qGTH@Ma^GY+ihh!vui^N+gBkybN;`2Tt
zLbaz2r5cu7^tAGGB<<Z>T4iA?=in-sVPBMTy!~8*&-Y%V<8hG`6^TtC54ZGR!MrOj
z0^fRq9(~kV1BI}B*`G6RKS7lG`0gcFCLKxQx_Gd#JW95zoTsvp?FCADdalkp(I*(6
z@QWh9=!D1DS$QXB+Ho@jF!a1!j-QC(X~wWwrg-oehLH8xZb)Ql)wd+4Gx(8M3`K}!
z%qR1+0yZe^10xR8En5$h=@C|f<*5&{v!HDshu_4+?nnr2kmZnF%o-0r)SCeb&8Q!r
zgFVLl0Ww?#8$W{sWpaiw3+IjqjFN%{gM`L;3FBK;3q;-gy}Gkr8U!ok_&Od{Oei{i
zv@6GIqZtv_{K`)I11l<vPiRL#9Ou1++>3ZcE~QeBPWMOJ>#EtkGcC4dC`@XysRddL
zghl$K68Yyc6mwXPT;43gn~uCv2x;G)p>1p<^59qwq3;3}mvr->8Un#=QcnRIp+%Rf
z&F{wdA}ijv5h&L5<U~lD&=q}n@}BRf<PxUyqCM_StWEQH%jt+jbj-_pX9FQfYB6nU
z7!r@$rAi1^_2^w*t-XJ<RmxQ<rMslR+sAO;1U&*i7J0;MK|8YK-#mhA`C33?4o?Gz
z2jT4|vcP@hR$2|PKyUKBW@$5^Jhu`~OW~$dN1EP4FGdsP5hV0F;+_i@)_dTh+P5OF
zlrr<!2|CZc(_30U2ff3t)Rk1OMzbmK5qJrmdZX~NFCy%Q*8oG<ms~MwMy*$*-~;fC
z6bSUY$6%P$paQv!op0^y2C}^F=T$R7ZV+1($vWlecPn`Ka``2F!_Scp+qZesM~TU^
zWw0aNhdo7Tz0653w3teKFL})CHXmstn6thK`l*rlfnPZjb74(SS(8D8pa_4G@hEa^
zsCDcWf#FIP#m)!EvzCu2MofA$O|=a#{8z4-bc9i5xM2+yWJKpXDl(TXCcQN;#Scl-
zwgbJZ*p|4y-SePM5<x9G0w)DNBYvQ?os;MrqQ&wQ(?pKT1>?j1_d;Hpsc^4COR7$K
zt<UibZ7)wdBR;%Vt~g55Q-dw$U0j_i<MY>85S4uj@4`GGJG@sU(h}UgRPFc7khuC@
zUHJlTm`q;uce}Cm<C$*2inH63{dg~j<m5cTH2!bvBkltrU#;r45&fMR>37Pe<BzxA
z!k&ubSL?K35fWF<syC0m6YbZ%$@e<biGCBw87Va-^#*bH$=VN_5981>GimbAz)m?2
z$<m+G<^hTlb3L9?EB;1}vHoFa#A=Fmr<uq@G1wnGUCF05&@R~N*rrR*Hb!7H^9c#g
zh@Y3j<uWuD-fc*Jrkr*iF(NxuVeR7nzT&*=BKxMkA^hEjGmPwU_*)V>L5hroVkSRC
z+6RxgyqA4F&Uc50zZr{=r(Zp#l$nR_30w;MU9E3!L%F?<m%0&NRx>(?m@iR+kuA<~
z@h?SYe|SS1JIP>taK;RI|EI|IcWF#7eDN;Dee&mI6Yy`RxQ>>z`A)m=6c_t8#)PBZ
zuSNlA-6~}8@_S^9C_@_s=V`@Pf97dK&K);1c$kOyuST{`yLUWIO3v_e3IG@$S4(R$
z&b~Oei)_kX$AWnhiISKaL3QG~G*j7BrVpl%gzZrg)ob>*v2>|uf-LI7>DAVaK$4x$
z9;rW^l}&vgxbCKVvL-zFRHMZlbDIL6CI8X%z-au~NebCW`FzLX7?;**a!640_-lrV
zXB&Yt7uxhOo-W#!pDDVL<yYkxWe?u&nW7bP$KfH0F3rCvw;!c`n9%#6uj3JQx(X1B
zAb0`w^*F*ktLJ!@L2R->jjXUp!;J)UQf?CpDiy&L-L+VdP%K+QG7S#IUf)bltm@Me
z2D?h^*@K<;sxReCTC+*HIT@S6T*=VqPDWA;IAv)b%`Pu@xf2;~_-{WS&4%_(5hrz5
z>0*==e@ZxzarL}<tytPryYl^#&={YFHDg10byz2OX&SN$c@ZDc1BSo?^a!-Zw7R3i
zLc&1KA*$|x-bj$Y&hXcFJZWdzSTt$q=^&B9wDZm5s{uY;de93dxhmE4id_Al?=qyQ
zI&u~6Ey`@a>y)<WQHx`Xtfn+EbTS+~tessFOE7R&_KRZ<5`zr6x6;(jDKd;ZeR=Zy
z8wv`Q*@!gCK`!%%?|z;-;r6{zLqeR&Ny3{#M7<@lIo+(TS3mpT?CUqVKCAVwB`P&W
zl`mohB-K?#-Y-7O%(y|w4ol<QBl}~Hg*X50%wD;h*$n^r%yyYm!xc05HM19bQ2^t&
z;tjm~lX%k=z6nQtUGryDq{=N8_{>HM{#V5t_<FiUB^5I$H~xos;|4Kz1>1<)*b74(
z>0N|%ZzYx6oZ8jy$s<k<dJCANtg!5zkn=?IuHpY^J^!z?9u0^U#1)>z+Q4AW0&Hx*
ziE3>BqXzx|rv^!n|815LeV1i){Q0lfzpu-<%=!7cjH=;MTj5CkU(jVVA+TFj=MNcD
zQ&U)-U08?H-rGP=#YtaJ!Bt*TS`g@L4zm$v`-52iR<Pj^;9&nh2sT=-=8kT+lmAcp
zD%i%|(GFtyzr~#2Wg#pK3x2CVYdY0%O$S7LEz&GOO-|(-y>E!0-vt^|5_A|&If3QB
zNtqiP9Kr*NVaXwfQcmm#e0zd!@4U2g)_#&M;9URlbi~b+u9X>IUMN!<`SMU-0$C;w
z7y5FR1h(jvj@~AvTC5S=N8XLQB7U^WPVS92<VutNP2^^_fpd*ZTv}-@;B(Z<-U{}c
ztcO1B-lPOa5eow^to%zj`#UkN&tT>l->OO5zFU9H;wS1b^%Yv1I)bs2+B3(|7Seul
zkMz&1bbcQSbeUis_KQCj6Yhely!(Q}pf={ZT%&r(-BrX0;eaT7di)*zN7o*Zy(HJw
z*V`LCc#@0br%qdM#|)q^4?3sIzWV3{*%-GD(bJW9$C21<1ck&?)fy$~B#eYa(r-1`
zh@82TY#-rpx^vz*c|Z7kO!KDgG^C;t+*4{(FGuwm_c}8lhrE9-e%Y1Ui!)Kx^`R!!
zn;14>HQdDDh0Ry_rW1<aU)TtUJnrp^WJ>r>R<g7A0^y;N1G5oETNG|>MUw-g6$L09
zXlVatfjL*{k|wYWlb`fHu)>G`O6Fa=I1{fzf!DZdQs}d|<c~tAOtl&%qVX5?dv=vY
zBU5V$d25VdGf^&8@I%*xd{Rf@WZAgYK<-t-O8%<;88oh5u6e6T(v5;^q>?nvxTQG8
zfbPVY)V}-Y%rKW)Y>SvqZu+2d+GsCs1*-RxM=K$la;Wq$T7suCXkPrd2)kjT=+90Z
zHA4E<#G*~}DO|%{c{^D#8IddU!tjviznYU{qgtnxkPKcONrdD@!!UwdzA|{A{V>+=
zWw!${ar99MxpJh81F(Y%D4#hA_xT+F)iGPZaj)$A4N{^B_S_|2C0HYJW%F|@ei5#6
zZwenY7p3pWCtU=Yv|EP9PwanG2}p5IiPw9@A^!uV7x~zEww(iOim=!=r#vRILD__F
zZGNt{t{6`~)*azX7D%fvTIfS2s&w~~f==vs=?LdImrUI}fd_lno>=WvhN@78IYj$Q
z{KGt=e7x{_?qKxR!UrKyc3^rnh6*UecYC;Wf^=CwcsZUs#m?KPtk_MiPzI(IAIH>K
zj9wmMrd27*pn4)#BBZsi{>4Qkb~Ucs^Yae5v`2-htj1vqX!_EzH9;w$GdDLQ0_p^s
z{J^XAv~f1^O0HC{AxZu5hn^*mOnMNVcjjVerUukLkNF3%%a=?ZeLnH}5h!jXsI)v?
zX8aUl8rs$MegC@y*E>&i($85;^NRWf%q)g`=k*`4GN>4hw`EKiwRgR>p*G)oYdN;y
z@&1GPzh%srJH~AP&luAq<riZ@UIGC4WV;4Ec{<OZ5au;8N)M-IGSHEC&YOHvG+_03
zRH#6X^?8L+y+NW+E^5_6PrNBM&WBe(kQ6DGq0p$0qDDLU-Y{XoK&kj!$lCb`hiKrE
zf=Y?JWW@4<Us@gT@t9v@nbF{u?Zj5NZL6x$$8I10D+X;@9;=n(svs>?btl)FZ(_33
zFK5Sod_Z`8`J_Ja)iF5Fs$St9D0|;Fk}DF-)y=#s9*~a!`}iJ;sof76ys{cD&t$&J
z2bB~WN%#+6_z;}8GoNy%MxNu_rn8l(Ie^|A&uw{Xwl`8eSEcG=GksIG@ugpNmr8{5
zW>pmPaOYT5v~79O61Lw)q0&VHJ_{4wTiIsQ3}FX@Z`2+PB(<SqtjT*!mu{wYU=H?R
zDoyLNSrT}n9oDHny*!>%rT9vZ8ojn3xAIUWVw1m=2trp5<kYH;)_e=LivS-{H<!Bo
zKzloLQWi~|A2ZVF(9FdXrSd^pY{lHP_jyu~Siz;5@s@SmCsfVvU6-77+j_C794B%O
zH@l9a+|gAd(GQdg+yY}A1p!Xd4};^x>T`_Cc|J9wb{Kn8hXtlrg|;(cePZus{}J_^
z1}tZZGKEJ^!f4%CF=P0ZTRlTl^E2~whI{7jWT(MM8DS>=jBSno4iUPM0Yb4Z|G>n@
z06%2dSHy0V3Mc^6Lb>9)>h0UB)sOBo^`1>X^W85`yPJ;(OV(Rpf_B1bwfENy;>&%_
zmKl-Rn>X!$*fK=UkjB$&6jx{yXAu~ayEgIy5g?2Ycxx^91)omHQLRvF)e#h=MO#Pg
zk)fhm0d9=Bf=sQRmXHSV9$koAPJZGl)Z{P^S2;VAD~WwR!4Vgq_C>JSK`tZc^&3#L
zzJJ%^z4X{xYD0$5>S!veC$%J5qZL8}LipbZSt+8@UrFKnNC?<1srC0~Eys=OT|$x;
z6Dbl)YI&=>WHX32Ys5n^jS%ja&0k@cKF`~68s8b^Kt+|y@>m=|eNllF#VEeUAM56E
z2645^10l&$0RhA+nr%NbX&zjvVG)PThWjT|kN7*(<a*pY$R5OnY}i@*pCUW(EH*qV
zEHj;SSdZZ9%TkXZM<kZN9MbyA!q(-@TK_6Tw(FS$hZo234h2qz3&@?dl@8jVa+Wuv
z>?mm0f(pg^V60ff#I=E~+${KUWAZ7<g@jm@5d*37iJH0#h4h!>7n?TaK_iZXg+~Is
z0(O~i#bVaP0oJ>wD-mxG4ADj3r@(m0b0`fzuIp}+e2_=!p?Kr@qlZ6&*MmPohDoL*
zNlCSC)?Q#c21{7?bXwoEnKRa(sy=%fCg3`TeuGQ*!Etwpbo0gNjh9FW3ZnQAORFL4
zsD`~K%faJ9;zG!2hoa8~w;C3tL{i^Aen7g3%JfZJ>2ejrnD=S_vOHsbjD^i$iLdpg
zOpfm;6TbCij#P7%jri%+XZ*>q15Py}6?E)r4MQpJ-GOh6hE*ch{a*O#yq|k6-<EfT
zmw&pa*bOwdoD!qieJRm~O??hXiV?3gV%-uOjk*kb9D_tafq2Nc1jP_usRNGGk<mRk
zEyJl-i8?1QbeU{F3s6qs#5+abI@Hq9o&ToX6<bw4Ti27-F+PyB0^=$ro_qyoOoolW
z&0fFXWv?`U&LjVQUB+dUHs4npuFKrqGA10gW*-Ic^fq&am)~_6Bxl;&R-AYWR)6Mc
zB%>cxciAiRzpBglYTxlRDYe!0ZKRydkx6ujd@)jND)-G<<HdT(7|H9`Ncu_NPuM?>
z5Wwz#Cot*GN3Qo#_SDiM4$nDg;P%3#t0!>KiAkbBc`Ssy9$o2<`SA5&11iNM5Qef3
z+F&%dJ7)6i3olG!TW5t4^}vG=p4@0kB*rWyN22esw>7an)N-PBVA(Lt7#o3ba+eu}
zmxyZ*F*B-9jrGb0S|zV8Cr0{XDwe_+jH1bb#QSl|u3l(I&0hOtm{c$FW!{E^C;1jJ
zojE33DeaRoIBp8Hgu4tCgwvNFxon9n7nISiTlu9>z1BMoFE}H0X?^)#WD?3J(Arw>
z2EKkjn@F{4_R@B;9<lxNtKNh1vP6y>?aix9jeXx26Go+~a;35biHn!PGgw>xjWuJA
zs~Kengw!>Mu%m|9UFe1<HWtzGdsR`jG`aJSb>qCLyEwI(k)Oq$;&8<JAT0HG5`C#1
zdn4%%iLw%XX3GW`OGr~WdR}Yf*LlB~@6%Xp{nt#2A*}5fj(}zfsyd+Km-a1i#yZZZ
z%AWm~iF3OiN>-mD$S_$?ra?<a_kFqd*S-U0k{24^n3z|OO(iR94)5b+e=+Lc^+_P=
zDC8a6T&k?-Dfli(enZh|y{sGhCYp73(ZVpm`fVCPY<+MeLdEs;J<hAf;pBke=hS;|
ztKMc1eQ!4;b6-p{Ke8ar7kSG~LvNNKv`tH|Dq$XjPeZdK=wuQgqxVLK;;j^usN_YW
zJ`M|Ps3lJ79f&U4$Nx+?I151<O7=KcL|34T96LPqyXKl9w)J#<lR88zuQB889#JqS
z%T@$vD&W}f5tmzdIsfYV28V6thztq4fu?3A`*J^KyCtLI{h*b6L)m75@mXmOjWT(P
z^O&OSN2agr-uTjO_3%@*ZEho6c%fy<gd7&xT5colCS^0t7dUdV&4wn)V5LyYKyoy`
zjn;%Wi-*~2;|e6}yr}oK-TLN`b6U|HOOA3g>>B69iUX40uKZz=6ge|Ig3I0`=isEv
z?<_=(5Trd6BDo?Crt(y%na{T#e{H^5M9NFY8Sw$<`aa-xXW<{a4gf#@mIJo$IDqOu
z=YXdUYPh28zc@hsb}!c7>^g|Oi`82H%mM#?cKg)fSFAQ10suhxZ~v1&U<7qr`iOt^
z#K)~@M}v>v3TvQ2KC$(O;-mzcDZ?@fxqZJ^YfD)G%M_|oPv}Z~3SSXN(zvaArpR18
z0Wm8ci}!5s1!N|jHQjKvmfLBAYjFQXgLg&eoJwu{S)1kK#;=+di?}7y(7K4XMOmai
zpVpO`)VdoW>a7WN=HpD|m1fPm8PYk$TiIdHGR;&h_BP9D7A^eUMh1lS%q+b|Z22_`
zbXz_;x5n@wv&1Y4*(#d}v5V55e@=9`m$o;Fom5N}OO4#}CRc3mvtp777zLdxkj!U`
zKE>KekM|6fTgCC=6m$I>u?^L_etJ&Eiv(IEY=t4yxGbrtc7d=aQcYPS?QD<Htn^nv
z$Uxt_qxVv-pF!GrEEE)Eufzu~2O?Ni9=%XvvPY$zdM{afgiEcE8_pcrpqP8&OpU`C
zM*iv218~2~??z9rLB6eH_R>j~^>Q9$-mb-~6~XXI_%u9VT+31{CWa6VkC+_;h>vdz
zrAIHYWfEyE$QK;le$+<!gr2l-ikt!C$)qKC^?FAA>OuK^%EF&cyqKiHDVSym68TMZ
z$39n{;tgy`nC{X=n=H{~JOi#xeAR<O&8u#MN4MK&Xd7l+Q()ire7<;dl@Pr!s_0AP
zG79so;QXOFp?Q|b)>N&$y93eb=6B3-S*2Nf-&V`s?{e-P=ewwoUcJ%~qLpniDP%|z
zz{f}lt3DUj{gR<u`fZsjCWkj8boNEn6Ub=ivr3;8w;8OHAO<QFe)XD)Lh<K$GfJV|
zae=4o36v!JwY5ojZ2iPzL>+k)s6Se!0W@3hz`f#)X$ZQ=Z~9POFfg94AYlK5HH5Gt
z>xvPPlcV8dlh@}w@_u$aET66F<z<+KMxTXV-17x<k;N^_drI&c1)J))Jwx)M{3E*B
z;ofinsf<~2YycIW(M7a)6E!)sC&}Fmoi3pc7uS@FKoqeQxpuv!0cQuC`Dpv`aQN_d
zhFTYb)W+=wZrYFM%QzSJ4BDFI&-%4}UTEa&4CM(jv*tZfp4qatjG2>5^SO3hR9@S|
zHTGri8288Xj4vLv@7t`cu@|8~o__9DCmP5^CCMf}z1xx#i)@vIh8cBsu`0gNQPj-R
zL|H_f{xh4lK?F77gT357;9D&2WS%loE7x4E^TNB(3?+vUBW>s2b39kgd9-I%qhrK$
z8FC%5L>4`WqY-Y&;uCym0vNk5f>9z9;&NJ%+4)5lm<iS$C<zy-o&>YvoM~{@(8V!V
zp9cc(n=4AcEOUxvp*xt8VoFh_n;O{8*nS>d(D$t|IGxRPY~XnS)GxpRBOo)6<46G(
z<dxRHVDK^jQRrz&7<WX9VqPuf;1ARttxofPr^802=Kkrf&$^>V14i%im<076ce@+*
zDs>M>PCqRD#Lw{>KP5tniww2#Yr8{nq~t}F-@Q*6CZ#)@K?wQ+T;B1|NmE%Tdm`VT
zTL!+>PTed!zMjdJBL5!vF32n`n`Zt<kdq{yhUUO1it<@+KBe_pOjDG-pj4DF$)mIm
z4$_w|rIO^jgA;(VoJd6XPr*JxHNM@r%syDk!7X^Do@xfuWuQjjO!K0GM`F{|1pQp`
zW(n$`alk?RCdV{9Y8t}+TgHsLW6YNSj4?wPe=%lx9{|u#W4bCAL`%w<tQ+d|`h`-;
zbaOnPJ5yPC0cofD;GkmFv+kpFYZJb_yj)^8k@D*)5rnI{^4tTrOMU*a$F5(WrG0YT
z(K#N0x#*G~Dvd#?1nXvp46d`CrKmUL<_{SmUhiV_^cTY4<)Re@<XsJH7R#I)RGs9?
zg+#1AiLU&b_zb$n_#yV<&<TgAbls@H&!O<m^9y~vs>d`*viBA3n0dmSj%Jy-G|M-J
zxlm*{GJU=QC0J^Pr^B-cLkN6s6!Pi`yo<uVzaL92?D9FabRmKciCo$TaCWz|fXt?}
zsrLzC8VMje-fcPj1UWjD!N)QY?S!=M^rN3b$^%|W_J0FE@FLP>O%*Am;57HYoRLf$
z$7@#=w~xlcdq>jk-Zdf5`{s$-lUHg*d`+_J5tHEz+L+Fw?PVI5f%+NcPjy|qRMR3)
z+)AgrE#xb0!#3NZ4~z1SdP?6F71l!r>vy%DB<T#C3>_AM1WeORv9!_jGn9u&01roE
z(8Iz)#prW4wJ37=8B)v^`QA$+4F^Y=Bw2<#vo6>i7$D_IQ-b*9LcF%{dN+_p{72m^
z4`b^kEf5Co2UlQ{@qXqb$zgV8SF)jiVo0drBn$fmMs_A8?o}SucunQ96-4W2gH^ZI
zz4YxD`sEG2OVVwdxg}P7R=(e84^96HGU_Sn`XO(l%h!1Qk)(=0+O$}w$Y)|o?A>gm
zTWZuC)upNY=u*b<D>6g-z0-{ulAvgNdO6JMo<a{M!gE*yU&L^r@&$mGzjVTjkyuvA
zR!bjeBGJ*ck*ps}I{mC7Om(L6_)N=|{ye|1tH#AKfsti>y#<wcg+Kn3-dVyhDb7C9
zP`&%;WFqS`e==ThD~my+SWF=!hNV9ZFEh@8Unp`vVmq1y4+5=?gqGZ48+(mpX|!<c
zs5*y-ctRS`7baHN(;B&TANQTy4qD@b46>6oig;ytlYVv=i6zIUXp-x?7g0~gbQN((
z$eY#sr{eiLqIY-ordQb$u5mFb^}!RGv#ySBJ@b#-wCoJQd7MuCpk>14uRYO&J`H>t
zB#?9m^ZJ1WTb(UqoM-cg^=x6;o~Sp{?67CyIAYL`Mi_mRL)L)|Ri+p3GaNlLG%u<J
z`bbL}*0D3U8&~?1X0|$LKf?}ZsqD{-Idyc~%5xLmz4C}*^*5r>!<A4p@gC0jN>!4C
z=islH>R%R8Njgqk%aAfx#QSr1I+mx!=0)ST07a5(MX?TPCSEi13i<aDd~!rzLq9SL
z-HYu-w#wTIRL<8_P}^C)FV+-z(a@&xuHgO|()hP5HG1Idakobr!^&AX>+$B>X4S+K
z;`pfaDxJ=~S;)h+&zrFB4L(O}ecC&N97)=(k9usY9*=Tju#h*wRh(y46_tvBeVpNM
zf^C|D(>l@mtRD>S%6n49$hPx-8coryot)po|1)HX_XppFU~P_b-sYPQB7uu^L&vcR
zOZDB0?-K_Fr_XM*aZ!J&Oei^30hYr_A5!=OouW1m9H@<Z0#Ms3!&j-$++^(%`h`?#
zQzxI;TNf$xb~@%0y)<F-wo0?xey=b?NWXntUdqb_F(74gV#eejLz`$QumdL-FJ?V{
zJYZ^Jasy|~08-Sy+gQJI7ui1i&m-ILRd{xLaQjmiI4T3p-|}?)9Zxs^XFMIg`irOC
zZ+G#!fyS|da3pJwSqxIMFzG;-xm)x=y*0y5cZmXu>K3j83gD|!{!;t+BBUyOLTLgg
zwK_p%e7-@t+~`lR4b(6%B*36}jJ*KDpbuNz<st^bK|(X}^$}L~qz%TG)krMYIx1{`
z{%cFoP|<rx#RpsQACTpkVd>qYbZo9~`*Lh?Iu>b6Y*nWO`5`A5t80~&^F)>+9~iew
z(>t#wN1B9QUM}u6qXoc}<Fw-=CR?fBvwPQJ%^?`UGMzc~%v%OY<tI6P=^(&su7$^}
z{@oGs5UxT?5%a>Y*3M5nt0mhx9=UPq37+JfZHRmvG~e#!+Ea8Q#4&_6b&kJFGdS3c
zIZi9m=sk|2>nthwBxTDP>buu=a%uPd__6GF!ML9R{#e0zqtC1C6D+10XbUEt4r);1
z(i!%68KwzmcTt++`J^5_p4`0eCif8ujR8#!vcLl*Kwu7h<T?~e0h$US&r^*A_F11?
zvzCVj_}RD*QK&$_rs?d9^cimqnOc7^#XvHpKVb{Tx%XL#&M9+n6?q`&6Khqh^hEuf
z;?Kf2R}Dx(i<w`pWzx}lEvx3$I;ZuFir21QV>Cb4%{W|!S+V=hD$~slq}es)<gL-L
zpkft7CCYV80QZio!`^XVyPHV@)-mVBg$zT9W5fKNHB<xAI;B?0&y&4B?cBDt8pS_0
z0KA~rbkipHbvr(;Ql(#r*tXe8Y9nm7y4}kg{%LJ6PZR~o)eGofgIu(}*Vyn-*QLl}
z`4VN#lfSe661S5-*@j2^c9*S*xw|gY;?%qTs_$UC>z|ydsV*@rg)HeD9@pTf<4$s}
z;L*+XTHRdGYtZuRoEa3vpKaVP(*4zW`r8P7Xp`Su3+DDw4FOj#2CBEMw;Ina1neVZ
z_!8CWzxp*0FI%ZmU{$^~a5^wzR^d_kkm>oQgfO4EZ1$C-a;t*28Fq~gwkXkulY-nH
z2{k@ydE9J@P@{U%1@wYv1s2K)0Y>jdOhf7Yq?0~nX+&q`v7V>WJ)R#dnb-U3#-LS4
zjK;`l9k*rq!$@GDa=xad-<;uwnpB{&*}IB$+c_Sr9afeQ=`*4aLABH!h|pZ?)_zxA
zIy~N_v6IR)W1TCZ+-#A3!D)JVV83OI_mrA&JM6gxcj7+RnI@>X`Fk&9X9vpMRPA=C
zlj`)GJRp9RbR^1pnl(S4S2A<1qUO8Vo_$*T6ij?S|B+X1paRo*J<`XApqrNkZ6w>X
zvehWg3(C0EyPjmztYY_rDPx#@czY7Wq=SAWwL0LYK489@r^#%iRa_j2K7(y)BKLp9
z6LDG0c<??grl>x{m(@YwgDREbm!itdRx90+cx9RN6P4NxFxVu9Hw-6xuyva0pf1lF
zb@G+HZX-&2sgd2BoiqIn#Y>M#XAC08BAr8jr~w(PPL%MF5t+lhbAILr4l44~8w6dE
z=*RLW00zUiKvoZOZ6oh=k$}P@PF3=}S#N#Fl49|Br-7pm>>-tGyN9~zL~cf=Xamko
zUKFHUwt)8v>dT$t+OoV_fJ`^ZDqMylhIoWB++%K2xyzaiAb*(=y%)8ot)Y+J*Dj{r
zqe?EuH9VqZLwE0SCFD%eWRni*$K?wXIAaz(K?P9VYJu?bPkJC8?W;RI@Gn{b;?<8i
zxE_c&_^;}LQQ5!rz#S+6fQ81?(IhjBg)%7WH}tq8x=1@r5z5nUN8w@V=To^3c8;?Y
z^;o&+NlhBmZ+PY_1L3x>pWF1|BsU~b-c5N05|;mxhNS-4&7#(kUNd7ARu#f@s@?7V
zlvB-!0JsoD=^yC#lj_z!xW>ZCefwLdPj8H!g4qe5?Vdh)5O2&%^VFQ!xYoY6bRgc_
zNlZPB8jR9>vNa*;o6GVP_F|wTRP4Ji!}g-s#ixTHX$*Sz1!R{W+}O`$@$Fk8)jKkb
zlD!Z$Tv9*8AjECbDGXIpx;8qQn=&Y2uRcwLveeTj3ci{%lo9McR2LH#;_U?YC1$rw
zM$Bs(Aa})rf@D%dLLcAn`e1BCDKM&`+@^Jvo!?eHF?#Z&+R)wR!;k8j+w*p{pu3Id
zkLrfo^LDkbyUpp3>MMb2f5Gjil+*r#4gimr&tEfc^~s}h8s$i{FQIEcKKVklvcxLZ
z*I`Qf#5~e*K?Z&ACtgOzI^ARQ0_ySUZL!hnW<t&>nOcFRL}0^LsSi$=#0NJ62rcAU
z7FcHMW@-q$SY0B;zzn_pMfMraEsk0UO2_9T<Lkv^WxV%wYKDFNF;e!5@#6cR0H)ZI
zeAw}wsU$K4UcH{9R$}M~CUno~EisjcZiEDCncspsQNAeDfm2P+g35TP6wjX`&Or$%
z7YUs4Rzu`_hJS$1l&Y9}puG7bKY~6TFnBqrZeT>7ZhUgBR-~1=kI%HGy^_2=;<GHx
zpTi$X0a{%$EZKIJ*rWT<@qXKo4ow}Bts4G%$N8B6eURvt(&=f&)&=R%8w;|a7+{WX
zD{XFZL9`<NK#SPAi;kXNdnDD!nsV_{KhyRZ?Z`6~TAL%f%;X+H{IPs(?1VRT3zp+d
zlhHh-@skhCHqlgH?RDdd-pw8)z>Usxbt;S78H;iIQ?EY+yD^@>4QuxA!W#1bJgj+X
N01s=nZhrvuzW|OvoBRL(

literal 0
HcmV?d00001

diff --git a/testing/btest/core/tunnels/false-teredo.bro b/testing/btest/core/tunnels/false-teredo.bro
index ebb428f65a..37088e9535 100644
--- a/testing/btest/core/tunnels/false-teredo.bro
+++ b/testing/btest/core/tunnels/false-teredo.bro
@@ -2,6 +2,7 @@
 # @TEST-EXEC: test ! -e weird.log
 # @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap %INPUT Tunnel::yielding_teredo_decapsulation=F >output
 # @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: btest-diff dpd.log
 
 function print_teredo(name: string, outer: connection, inner: teredo_hdr)
 	{
diff --git a/testing/btest/core/tunnels/teredo_bubble_with_payload.test b/testing/btest/core/tunnels/teredo_bubble_with_payload.test
new file mode 100644
index 0000000000..f45d8ca585
--- /dev/null
+++ b/testing/btest/core/tunnels/teredo_bubble_with_payload.test
@@ -0,0 +1,36 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/teredo_bubble_with_payload.pcap %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+
+function print_teredo(name: string, outer: connection, inner: teredo_hdr)
+	{
+	print fmt("%s: %s", name, outer$id);
+	print fmt("    ip6: %s", inner$hdr$ip6);
+	if ( inner?$auth )
+		print fmt("    auth: %s", inner$auth);
+	if ( inner?$origin )
+		print fmt("    origin: %s", inner$origin);
+	}
+
+event teredo_packet(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("packet", outer, inner);
+	}
+
+event teredo_authentication(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("auth", outer, inner);
+	}
+
+event teredo_origin_indication(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("origin", outer, inner);
+	}
+
+event teredo_bubble(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("bubble", outer, inner);
+	}