Btests: don't use -C in Zeek invocations that don't actually need it

2025-10-02 06:38:20 +00:00 · 2025-06-06 13:39:31 -07:00 · 2025-06-06 13:39:31 -07:00 · 8b39e59572
commit 8b39e59572
parent e3cecdf04d
91 changed files with 96 additions and 96 deletions
--- a/testing/btest/core/erspan.zeek
+++ b/testing/btest/core/erspan.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/erspan.trace %INPUT 
+# @TEST-EXEC: zeek -b -r $TRACES/erspan.trace %INPUT
 # @TEST-EXEC: btest-diff tunnel.log

@load base/frameworks/tunnels
--- a/testing/btest/core/erspanI.zeek
+++ b/testing/btest/core/erspanI.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/erspanI.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/erspanI.pcap %INPUT
 # @TEST-EXEC: btest-diff tunnel.log
 # @TEST-EXEC: btest-diff conn.log

--- a/testing/btest/core/erspanII.zeek
+++ b/testing/btest/core/erspanII.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/erspanII.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/erspanII.pcap %INPUT
 # @TEST-EXEC: btest-diff tunnel.log
 # @TEST-EXEC: btest-diff conn.log

--- a/testing/btest/core/erspanIII.zeek
+++ b/testing/btest/core/erspanIII.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/erspanIII.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/erspanIII.pcap %INPUT
 # @TEST-EXEC: btest-diff tunnel.log
 # @TEST-EXEC: btest-diff conn.log

--- a/testing/btest/core/ether-addrs.zeek
+++ b/testing/btest/core/ether-addrs.zeek
@ -1,5 +1,5 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/wikipedia.trace %INPUT >>output
-# @TEST-EXEC: zeek -C -b -r $TRACES/radiotap.pcap %INPUT >>output
+# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace %INPUT >>output
+# @TEST-EXEC: zeek -b -r $TRACES/radiotap.pcap %INPUT >>output
 # @TEST-EXEC: btest-diff output

 event new_connection(c: connection)
--- a/testing/btest/core/pcap/read-trace-with-filter.zeek
+++ b/testing/btest/core/pcap/read-trace-with-filter.zeek
@ -1,3 +1,3 @@
-# @TEST-EXEC: zeek -C -r $TRACES/wikipedia.trace -f "port 50000"
+# @TEST-EXEC: zeek -r $TRACES/wikipedia.trace -f "port 50000"
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff packet_filter.log
--- a/testing/btest/core/pppoe-over-qinq.zeek
+++ b/testing/btest/core/pppoe-over-qinq.zeek
@ -1,5 +1,5 @@
 # Disable test temporarily - see GH-4547
 # @TEST-REQUIRES: ! have-spicy-ssl

-# @TEST-EXEC: zeek -C -r $TRACES/pppoe-over-qinq.pcap
+# @TEST-EXEC: zeek -r $TRACES/pppoe-over-qinq.pcap
 # @TEST-EXEC: btest-diff conn.log
--- a/testing/btest/core/reporter-weird-sampling-global.zeek
+++ b/testing/btest/core/reporter-weird-sampling-global.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/wlanmon.pcap %INPUT | sort | uniq -c | awk '{print $1, $2, $3}' >output
+# @TEST-EXEC: zeek -b -r $TRACES/wlanmon.pcap %INPUT | sort | uniq -c | awk '{print $1, $2, $3}' >output
 # @TEST-EXEC: btest-diff output

 # The sampling functionality itself is already tested through other tests.
--- a/testing/btest/core/tunnels/gre-aruba-amsdu.zeek
+++ b/testing/btest/core/tunnels/gre-aruba-amsdu.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 QoS A-MSDU headers. This is testing that the tunnel is detected and that the conn byte size contains both A-MSDU subframe packets.
-# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-amsdu.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gre-aruba-amsdu.pcap %INPUT
 # @TEST-EXEC: btest-diff tunnel.log
 # @TEST-EXEC: btest-diff conn.log

--- a/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
+++ b/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
@ -1,4 +1,4 @@
 # @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 CCMP headers. This should report a weird about encrypted data.
-# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-ccmp.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gre-aruba-ccmp.pcap %INPUT

@load base/frameworks/notice/weird
--- a/testing/btest/core/tunnels/gre-aruba.zeek
+++ b/testing/btest/core/tunnels/gre-aruba.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gre-aruba.pcap %INPUT
 # @TEST-EXEC: btest-diff tunnel.log

@load base/frameworks/tunnels
--- a/testing/btest/core/tunnels/gre-in-gre-min-depth.test
+++ b/testing/btest/core/tunnels/gre-in-gre-min-depth.test
@ -1,3 +1,3 @@
 # @TEST-DOC: Tests that an IP-in-IP tunnel with max-depth set to 1 doesn't crash
-# @TEST-EXEC: zeek -C -r $TRACES/tunnels/gre-within-gre.pcap Tunnel::max_depth=1
+# @TEST-EXEC: zeek -r $TRACES/tunnels/gre-within-gre.pcap Tunnel::max_depth=1
 # @TEST-EXEC: btest-diff weird.log
--- a/testing/btest/core/tunnels/gtp/unknown_or_too_short.test
+++ b/testing/btest/core/tunnels/gtp/unknown_or_too_short.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap %INPUT
 # @TEST-EXEC: btest-diff analyzer.log
 # @TEST-EXEC: btest-diff tunnel.log

--- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/enable-disable.zeek
+++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/enable-disable.zeek
@ -1,5 +1,5 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/pe/pe.trace %INPUT >out
-# @TEST-EXEC: zeek -C -b -r $TRACES/pe/pe.trace %INPUT disable_it=T >>out
+# @TEST-EXEC: zeek -b -r $TRACES/pe/pe.trace %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/pe/pe.trace %INPUT disable_it=T >>out
 # @TEST-EXEC: btest-diff out

@load base/protocols/ftp
--- a/testing/btest/scripts/base/frameworks/storage/redis-expiration.zeek
+++ b/testing/btest/scripts/base/frameworks/storage/redis-expiration.zeek
@ -4,7 +4,7 @@
 # @TEST-PORT: REDIS_PORT

 # @TEST-EXEC: btest-bg-run redis-server run-redis-server ${REDIS_PORT%/tcp}
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -B storage -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -B storage -b -r - %INPUT > out
 # @TEST-EXEC: btest-bg-wait -k 1

 # @TEST-EXEC: btest-diff out
--- a/testing/btest/scripts/base/frameworks/storage/sqlite-basic-reading-pcap.zeek
+++ b/testing/btest/scripts/base/frameworks/storage/sqlite-basic-reading-pcap.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Tests that sqlite async works fine while reading pcaps
-# @TEST-EXEC: zeek -C -r $TRACES/http/get.trace %INPUT > out
+# @TEST-EXEC: zeek -r $TRACES/http/get.trace %INPUT > out
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr

--- a/testing/btest/scripts/base/frameworks/storage/sqlite-expiration.zeek
+++ b/testing/btest/scripts/base/frameworks/storage/sqlite-expiration.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Automatic expiration of stored data
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -r - %INPUT > out
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr

--- a/testing/btest/scripts/base/frameworks/telemetry/basic.zeek
+++ b/testing/btest/scripts/base/frameworks/telemetry/basic.zeek
@ -2,7 +2,7 @@
 # Not compilable to C++ due to globals being initialized to a record that
 # has an opaque type as a field.
 # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -r - %INPUT > out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC-FAIL: test -f reporter.log

--- a/testing/btest/scripts/base/frameworks/telemetry/conn-duration-histogram.zeek
+++ b/testing/btest/scripts/base/frameworks/telemetry/conn-duration-histogram.zeek
@ -1,7 +1,7 @@
 # Not compilable to C++ due to globals being initialized to a record that
 # has an opaque type as a field.
 # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -r - %INPUT > out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC-FAIL: test -f reporter.log

--- a/testing/btest/scripts/base/frameworks/telemetry/event-handler-invocations.zeek
+++ b/testing/btest/scripts/base/frameworks/telemetry/event-handler-invocations.zeek
@ -3,7 +3,7 @@
 # Not compilable to C++ due to globals being initialized to a record that
 # has an opaque type as a field.
 # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -r - %INPUT > out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC-FAIL: test -f reporter.log

--- a/testing/btest/scripts/base/frameworks/telemetry/internal-metrics.zeek
+++ b/testing/btest/scripts/base/frameworks/telemetry/internal-metrics.zeek
@ -2,7 +2,7 @@
 # Not compilable to C++ due to globals being initialized to a record that
 # has an opaque type as a field.
 # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -r - %INPUT > out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC-FAIL: test -f reporter.log

--- a/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-discard.zeek
+++ b/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-discard.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Pcap does not contain close requests for the involved fids (filtered out with wireshark)
-# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids-no-close.pcap %INPUT >out
+# @TEST-EXEC: zeek -r $TRACES/dce-rpc/20-fids-no-close.pcap %INPUT >out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff weird.log

--- a/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-size.zeek
+++ b/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-size.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Ensure dce_rpc_backing state stays bounded when pipes are closed properly.
-# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids.pcap %INPUT >out
+# @TEST-EXEC: zeek -r $TRACES/dce-rpc/20-fids.pcap %INPUT >out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: test ! -f weird.log

--- a/testing/btest/scripts/base/protocols/dns/dns-edns-cookie.zeek
+++ b/testing/btest/scripts/base/protocols/dns/dns-edns-cookie.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/dns-edns-cookie.pcap %INPUT > output
+# @TEST-EXEC: zeek -r $TRACES/dns-edns-cookie.pcap %INPUT > output
 # @TEST-EXEC: btest-diff output
@load policy/protocols/dns/auth-addl

--- a/testing/btest/scripts/base/protocols/dns/dns-edns-tcp-keepalive.zeek
+++ b/testing/btest/scripts/base/protocols/dns/dns-edns-tcp-keepalive.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/dns-edns-tcp-keepalive.pcap %INPUT > output
+# @TEST-EXEC: zeek -r $TRACES/dns-edns-tcp-keepalive.pcap %INPUT > output
 # @TEST-EXEC: btest-diff output
@load policy/protocols/dns/auth-addl

--- a/testing/btest/scripts/base/protocols/dns/https.zeek
+++ b/testing/btest/scripts/base/protocols/dns/https.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/dns-https.pcap %INPUT > output
+# @TEST-EXEC: zeek -r $TRACES/dns-https.pcap %INPUT > output
 # @TEST-EXEC: btest-diff output

@load policy/protocols/dns/auth-addl
--- a/testing/btest/scripts/base/protocols/http/curl-http-09.zeek
+++ b/testing/btest/scripts/base/protocols/http/curl-http-09.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: curl --http0.9 to accept the headerless response.
-# @TEST-EXEC: zeek -b -Cr $TRACES/http/curl_http_09.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/curl_http_09.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: test ! -f weird.log

--- a/testing/btest/scripts/base/protocols/http/http-09.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-09.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Artificially created PCAP with one proper HTTP 0.9 request/response and a few invalid ones.
-# @TEST-EXEC: zeek -b -Cr $TRACES/http/http_09.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/http_09.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log

--- a/testing/btest/scripts/base/protocols/http/http-dpd-large-req.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-dpd-large-req.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/http/http_large_req_8001.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r $TRACES/http/http_large_req_8001.pcap %INPUT >output
 # @TEST-EXEC: btest-diff output
 # 
 # @TEST-DOC: Tests our DPD signatures with a session where one side exceeds the DPD buffer size.
--- a/testing/btest/scripts/base/protocols/http/no-version.zeek
+++ b/testing/btest/scripts/base/protocols/http/no-version.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -b -Cr $TRACES/http/no-version.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/no-version.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log

@load base/protocols/http
--- a/testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek
+++ b/testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -b -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/percent-end-of-line.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log

--- a/testing/btest/scripts/base/protocols/http/version-mismatch.zeek
+++ b/testing/btest/scripts/base/protocols/http/version-mismatch.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Pcap extracted from 2009-M57-day11-18.trace: The server replies with HTTP/1.1, then HTTP/1.0 (also different Server headers).
-# @TEST-EXEC: zeek -b -Cr $TRACES/http/version-mismatch.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/version-mismatch.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log

--- a/testing/btest/scripts/base/protocols/ldap/add.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/add.zeek
@ -1,7 +1,7 @@
 # Copyright (c) 2024 by the Zeek Project. See LICENSE for details.

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap-add.pcap %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/ldap-add.pcap %INPUT
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
--- a/testing/btest/scripts/base/protocols/ldap/aduser1.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/aduser1.zeek
@ -1,7 +1,7 @@
 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1.pcap %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/aduser1.pcap %INPUT
 # @TEST-EXEC: mkdir krb && mv *.log krb
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1-ntlm.pcap %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/aduser1-ntlm.pcap %INPUT
 # @TEST-EXEC: mkdir ntlm && mv *.log ntlm
 # @TEST-EXEC: btest-diff krb/ldap.log
 # @TEST-EXEC: btest-diff krb/ldap_search.log
--- a/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek
@ -1,7 +1,7 @@
 # Copyright (c) 2024 by the Zeek Project. See LICENSE for details.

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-ntlm.pcap %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/sasl-ntlm.pcap %INPUT
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
--- a/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek
@ -1,7 +1,7 @@
 # Copyright (c) 2024 by the Zeek Project. See LICENSE for details.

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-scram-sha-512.pcap %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/sasl-scram-sha-512.pcap %INPUT
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
--- a/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek
@ -1,7 +1,7 @@
 # Copyright (c) 2024 by the Zeek Project. See LICENSE for details.

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-srp-who-am-i.pcap %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/sasl-srp-who-am-i.pcap %INPUT
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
--- a/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek
@ -5,7 +5,7 @@
 # at https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
--- a/testing/btest/scripts/base/protocols/ldap/starttls.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/starttls.zeek
@ -1,7 +1,7 @@
 # Copyright (c) 2024 by the Zeek Project. See LICENSE for details.

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap-starttls.pcap %INPUT >out
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/ldap-starttls.pcap %INPUT >out
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff conn.log
--- a/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek
@ -1,7 +1,7 @@
 # Copyright (c) 2024 by the Zeek Project. See LICENSE for details.

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap-who-am-i.pcap %INPUT >out
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/ldap-who-am-i.pcap %INPUT >out
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff conn.log
--- a/testing/btest/scripts/base/protocols/pop3/basic.zeek
+++ b/testing/btest/scripts/base/protocols/pop3/basic.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Ensure basic POP3 functionality.
-# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/pop3.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/pop3/pop3.pcap %INPUT >out
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: test ! -f weird.log
--- a/testing/btest/scripts/base/protocols/pop3/redis.zeek
+++ b/testing/btest/scripts/base/protocols/pop3/redis.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: The POP3 signature triggered on Redis traffic. Ensure the analyzer is eventually removed to avoid.
-# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/redis-50-pings.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/pop3/redis-50-pings.pcap %INPUT >out
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff weird.log
--- a/testing/btest/scripts/base/protocols/postgresql/dump-events.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/dump-events.zeek
@ -1,8 +1,8 @@
 # @TEST-DOC: Test that misc/dump events works.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >>output
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap %INPUT >>output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-select-now.pcap %INPUT >>output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap %INPUT >>output
 #
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test rejecting wrong protocol.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/http-on-port-5432.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/http-on-port-5432.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < analyzer_debug.log > analyzer.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test rejecting wrong protocol.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/mysql-on-port-5432.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/mysql-on-port-5432.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < analyzer_debug.log > analyzer.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/parameter-status.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/parameter-status.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test the parameter status event.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
 #
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/postgresql/psql-auth.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-auth.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
 #
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable-15432.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable-15432.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that the dpd.sig picks up a plaintext connection on a non-standard port.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-disable-15432.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-aws-ssl-disable-15432.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that SSLRequest is recognized and ssl.log exists
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-disable.pcap %INPUT
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-aws-ssl-disable.pcap %INPUT
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that the dpd.sig picks up the SSLRequest and server response on a non-standard port.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require-15432.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-aws-ssl-require-15432.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
--- a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that SSLRequest is recognized and ssl.log exists
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require.pcap %INPUT
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-aws-ssl-require.pcap %INPUT
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
--- a/testing/btest/scripts/base/protocols/postgresql/psql-create-insert-select.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-create-insert-select.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Trace with CREATE TABLE, INSERT, SELECT DELETE and DROP.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-create-insert-select-delete-drop.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-create-insert-select-delete-drop.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/psql-insert-fail-drop-fail.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-insert-fail-drop-fail.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap ${PACKAGE} %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap ${PACKAGE} %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/psql-login-fail.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-login-fail.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-fail.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-login-fail.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/psql-login-no-sslrequest.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-login-no-sslrequest.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: The client does not start with SSLRequest. This pcap has two connections, attempting without password.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/psql-select-now.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-select-now.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/startup-parameter.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/startup-parameter.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Event for name, value pairs in the startup message.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
 #
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek
+++ b/testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test the order of analyzer confirmations for QUIC and SSL, QUIC should come first.

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap %INPUT >out
+# @TEST-EXEC: zeek -r $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap %INPUT >out
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out
 # @TEST-EXEC: btest-diff conn.log.cut
--- a/testing/btest/scripts/base/protocols/quic/chromium.zeek
+++ b/testing/btest/scripts/base/protocols/quic/chromium.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that runs the pcap

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/decrypt-fail-google-de-51833.zeek
+++ b/testing/btest/scripts/base/protocols/quic/decrypt-fail-google-de-51833.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: PCAP for which decryption failed due to not using the initial destination connection ID consistently.

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quic-decrypt-fail-google-de-51833.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quic-decrypt-fail-google-de-51833.pcap base/protocols/quic
 # @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f dpd.log
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
--- a/testing/btest/scripts/base/protocols/quic/events.zeek
+++ b/testing/btest/scripts/base/protocols/quic/events.zeek
@ -1,9 +1,9 @@
 # @TEST-DOC: Supported events so far.

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/retry.pcap base/protocols/quic %INPUT >out
+# @TEST-EXEC: zeek -r $TRACES/quic/interop/quic-go_quic-go/retry.pcap base/protocols/quic %INPUT >out
 # @TEST-EXEC: echo "zerortt.pcap" >>out
-# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/zerortt.pcap base/protocols/quic %INPUT >>out
+# @TEST-EXEC: zeek -r $TRACES/quic/interop/quic-go_quic-go/zerortt.pcap base/protocols/quic %INPUT >>out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff .stderr
 #
--- a/testing/btest/scripts/base/protocols/quic/firefox.zeek
+++ b/testing/btest/scripts/base/protocols/quic/firefox.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that runs the pcap

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/firefox-102.13.0esr-blog-cloudflare-com.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/firefox-102.13.0esr-blog-cloudflare-com.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/handshake.zeek
+++ b/testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/handshake.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test interop pcap containing RETRY packet from server side.

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/handshake.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/interop/quic-go_quic-go/handshake.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/retry.zeek
+++ b/testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/retry.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test interop pcap containing RETRY packet from server side.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/retry.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/interop/quic-go_quic-go/retry.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/zerortt.zeek
+++ b/testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/zerortt.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that client initiating connection using 0RTT packet doesn't cause analyzer errors trying to decrypt server side.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/zerortt.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/interop/quic-go_quic-go/zerortt.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/max-history-length.zeek
+++ b/testing/btest/scripts/base/protocols/quic/max-history-length.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that runs the pcap
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/firefox-102.13.0esr-blog-cloudflare-com.pcap base/protocols/quic QUIC::max_history_length=3
+# @TEST-EXEC: zeek -r $TRACES/quic/firefox-102.13.0esr-blog-cloudflare-com.pcap base/protocols/quic QUIC::max_history_length=3
 # @TEST-EXEC: zeek-cut -m ts uid history < quic.log > quic.log.cut
 # @TEST-EXEC: btest-diff quic.log.cut
 # @TEST-EXEC: btest-diff weird.log
--- a/testing/btest/scripts/base/protocols/quic/multiple-initial-fragmented-crypto-only-initial.zeek
+++ b/testing/btest/scripts/base/protocols/quic/multiple-initial-fragmented-crypto-only-initial.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Pcap with CRYPTO frames fragemented over multiple INITIAL packets. The pcap only contains 3 INITIAL packets. Check what logs are created.

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quic-multiple-initial-fragmented-crypto-only-initial.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quic-multiple-initial-fragmented-crypto-only-initial.pcap base/protocols/quic
 # @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f dpd.log
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
--- a/testing/btest/scripts/base/protocols/quic/multiple-initial-fragmented-crypto.zeek
+++ b/testing/btest/scripts/base/protocols/quic/multiple-initial-fragmented-crypto.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Pcap with CRYPTO frames fragemented over multiple INITIAL packets.

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quic-multiple-initial-fragmented-crypto.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quic-multiple-initial-fragmented-crypto.pcap base/protocols/quic
 # @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f dpd.log
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
--- a/testing/btest/scripts/base/protocols/quic/quicdoq.zeek
+++ b/testing/btest/scripts/base/protocols/quic/quicdoq.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Pcap with dns-over-quic lookup using https://github.com/private-octopus/quicdoq

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quicdoq.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quicdoq.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/quicv2-echo-443.zeek
+++ b/testing/btest/scripts/base/protocols/quic/quicv2-echo-443.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Pcap with quicv2 echo traffic produced with https://raw.githubusercontent.com/quic-go/quic-go/master/example/echo/echo.go
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quicv2-echo-443.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quicv2-echo-443.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/quicv2-http3-443.zeek
+++ b/testing/btest/scripts/base/protocols/quic/quicv2-http3-443.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Pcap with quicv2 http3 traffic produced with https://raw.githubusercontent.com/quic-go/quic-go/master/example/main.go
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quicv2-http3-443.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quicv2-http3-443.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/run-pcap.zeek
+++ b/testing/btest/scripts/base/protocols/quic/run-pcap.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that runs the pcap

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quic_win11_firefox_google.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quic_win11_firefox_google.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/vector-max-size-crash.zeek
+++ b/testing/btest/scripts/base/protocols/quic/vector-max-size-crash.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that runs the pcap

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/vector-max-size-crash.pcap base/protocols/quic %INPUT > out
+# @TEST-EXEC: zeek -r $TRACES/quic/vector-max-size-crash.pcap base/protocols/quic %INPUT > out
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: zeek-cut -m ts cause uid analyzer_kind analyzer_name failure_reason < analyzer_debug.log > analyzer_debug.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
--- a/testing/btest/scripts/base/protocols/rdp/rdp-invalid-length.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-invalid-length.zeek
@ -2,7 +2,7 @@
 # header, ensuring that it throws a binpac exception and reports a notice to
 # analyzer.log. The pcap used is a snippet of a pcap from OSS-Fuzz #57109.

-# @TEST-EXEC: zeek -C -b -r $TRACES/rdp/rdp-invalid-length.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/rdp/rdp-invalid-length.pcap %INPUT
 # @TEST-EXEC: btest-diff analyzer_debug.log

@load frameworks/analyzer/debug-logging.zeek
--- a/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test
+++ b/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/smb/dssetup_DsRoleGetPrimaryDomainInformation_standalone_workstation.cap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/smb/dssetup_DsRoleGetPrimaryDomainInformation_standalone_workstation.cap %INPUT
 # @TEST-EXEC: [ ! -f dce_rpc.log ]

@load base/protocols/smb
--- a/testing/btest/scripts/base/protocols/smb/smb2-create-delete-on-close.zeek
+++ b/testing/btest/scripts/base/protocols/smb/smb2-create-delete-on-close.zeek
@ -1,7 +1,7 @@
 # Don't run for C++ scripts because there's no script to compile.
 # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"

-# @TEST-EXEC: zeek -C -r $TRACES/smb/smb2.delete-on-close-perms-delete-existing.pcap policy/protocols/smb/log-cmds
+# @TEST-EXEC: zeek -r $TRACES/smb/smb2.delete-on-close-perms-delete-existing.pcap policy/protocols/smb/log-cmds
 # @TEST-EXEC: btest-diff smb_files.log
 # @TEST-EXEC: btest-diff smb_cmd.log

--- a/testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test
+++ b/testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test
@ -1,6 +1,6 @@
 # This tests checks that non-dtls connections to which we attach don't trigger tons of errors.

-# @TEST-EXEC: zeek -C -r $TRACES/dns-txt-multiple.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/dns-txt-multiple.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event zeek_init()
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
@ -1,6 +1,6 @@
 # This tests a normal OCSP request sent through HTTP GET

-# @TEST-EXEC: zeek -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/tls/ocsp-http-get.pcap %INPUT
 # @TEST-EXEC: btest-diff ocsp.log
 # @TEST-EXEC: btest-diff .stdout

--- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
@ -1,6 +1,6 @@
 # This tests a OCSP request missing response

-# @TEST-EXEC: zeek -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/tls/ocsp-request-only.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event zeek_init()
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
@ -1,6 +1,6 @@
 # This tests OCSP response with revocation

-# @TEST-EXEC: zeek -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/tls/ocsp-revoked.pcap %INPUT
 # @TEST-EXEC: btest-diff ocsp.log
 # @TEST-EXEC: btest-diff .stdout

--- a/testing/btest/scripts/base/protocols/xmpp/client-dpd.test
+++ b/testing/btest/scripts/base/protocols/xmpp/client-dpd.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/tls/xmpp-starttls.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/tls/xmpp-starttls.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log

@load base/frameworks/signatures
--- a/testing/btest/scripts/base/protocols/xmpp/starttls.test
+++ b/testing/btest/scripts/base/protocols/xmpp/starttls.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/tls/xmpp-starttls.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/tls/xmpp-starttls.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
--- a/testing/btest/scripts/policy/frameworks/intel/whitelisting.zeek
+++ b/testing/btest/scripts/policy/frameworks/intel/whitelisting.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -b -Cr $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace %INPUT
 # @TEST-EXEC: btest-diff intel.log

 #@TEST-START-FILE intel.dat
--- a/testing/btest/scripts/policy/frameworks/telemetry/log-prefixes.zeek
+++ b/testing/btest/scripts/policy/frameworks/telemetry/log-prefixes.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Tests that setting log_prefixes filters out the zeek metrics normally created.
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -r - %INPUT > out

 # @TEST-EXEC: btest-diff telemetry.log
 # @TEST-EXEC: btest-diff telemetry_histogram.log
--- a/testing/btest/scripts/policy/frameworks/telemetry/log.zeek
+++ b/testing/btest/scripts/policy/frameworks/telemetry/log.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Test loading of telemetry/log and smoke check the telemetry.log file
-# @TEST-EXEC: zeek -b -Cr $TRACES/wikipedia.trace %INPUT > out
+# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace %INPUT > out
 # @TEST-EXEC: grep -E 'zeek_(net|.*sessions)' telemetry.log > telemetry.log.filtered
 # @TEST-EXEC: grep 'zeek.*connection_duration' telemetry_histogram.log > telemetry_histogram.log.filtered

--- a/testing/btest/spicy/export-bitfield.zeek
+++ b/testing/btest/spicy/export-bitfield.zeek
@ -1,7 +1,7 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -do export.hlto export.spicy export.evt
-# @TEST-EXEC: zeek -Cr $TRACES/http/post.trace export.hlto %INPUT >>output
+# @TEST-EXEC: zeek -r $TRACES/http/post.trace export.hlto %INPUT >>output
 # @TEST-EXEC: test '!' -e reporter.log
 # @TEST-EXEC: btest-diff output
 #
--- a/testing/btest/spicy/export-type-e2e.zeek
+++ b/testing/btest/spicy/export-type-e2e.zeek
@ -1,7 +1,7 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -do export.hlto export.spicy export.evt
-# @TEST-EXEC: zeek -Cr $TRACES/http/pipelined-requests.trace export.hlto %INPUT >>output
+# @TEST-EXEC: zeek -r $TRACES/http/pipelined-requests.trace export.hlto %INPUT >>output
 # @TEST-EXEC: test '!' -e reporter.log
 # @TEST-EXEC: btest-diff output
 #
--- a/testing/btest/spicy/hook-priority.zeek
+++ b/testing/btest/spicy/hook-priority.zeek
@ -1,6 +1,6 @@
 # @TEST-REQUIRES: have-spicy
 # @TEST-EXEC: spicyz -d -o foo.hlto foo.spicy foo.evt
-# @TEST-EXEC: zeek -Cr ${TRACES}/http/post.trace Zeek::Spicy foo.hlto %INPUT >>output 2>&1
+# @TEST-EXEC: zeek -r ${TRACES}/http/post.trace Zeek::Spicy foo.hlto %INPUT >>output 2>&1
 # @TEST-EXEC: btest-diff output
 #
 # @TEST-DOC: This test validates that hooks from EVT files are invoked after hooks in the Spicy grammar.
--- a/testing/btest/spicy/packet-analyzer-violation.zeek
+++ b/testing/btest/spicy/packet-analyzer-violation.zeek
@ -1,7 +1,7 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -d -o zeek_test.hlto analyzer.spicy analyzer.evt
-# @TEST-EXEC: HILTI_DEBUG=spicy zeek -Cr ${TRACES}/spicy/packet-analyzer-violation.pcap zeek_test.hlto %INPUT >output 2>&1
+# @TEST-EXEC: HILTI_DEBUG=spicy zeek -r ${TRACES}/spicy/packet-analyzer-violation.pcap zeek_test.hlto %INPUT >output 2>&1
 # @TEST-EXEC: btest-diff output
 #
 # @TEST-DOC: Checks that packet analyzers correctly report violations. This is a regression test for #132.
--- a/testing/btest/spicy/port-range-one-port.zeek
+++ b/testing/btest/spicy/port-range-one-port.zeek
@ -1,7 +1,7 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -o test.hlto udp-test.spicy ./udp-test.evt
-# @TEST-EXEC: HILTI_DEBUG=zeek zeek -Cr ${TRACES}/udp-packet.pcap test.hlto %INPUT >out 2>&1
+# @TEST-EXEC: HILTI_DEBUG=zeek zeek -r ${TRACES}/udp-packet.pcap test.hlto %INPUT >out 2>&1
 # @TEST-EXEC: grep -e 'Scheduling analyzer' -e 'error during parsing' < out > out.filtered
 # @TEST-EXEC: btest-diff out.filtered

--- a/testing/btest/spicy/tcp-eod-behavior-on-destroy.zeek
+++ b/testing/btest/spicy/tcp-eod-behavior-on-destroy.zeek
@ -1,7 +1,7 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -d foo.spicy foo.evt -o foo.hlto
-# @TEST-EXEC: zeek -Cr ${TRACES}/http/206_example_b.pcap foo.hlto "Spicy::enable_print=T" >output 2>&1
+# @TEST-EXEC: zeek -r ${TRACES}/http/206_example_b.pcap foo.hlto "Spicy::enable_print=T" >output 2>&1
 # @TEST-EXEC: btest-diff output
 #
 # @TEST-DOC: Exercise &eod behavior when processing is aborted without a regular connection shutdown; regression test for Zeek #4501.