Move arp, tcp, udp, pia, and stepping stone analyzers

2025-10-02 06:38:20 +00:00 · 2020-08-03 12:53:07 -07:00 · 2020-08-03 12:53:07 -07:00 · 914ffcadae
commit 914ffcadae
parent f1cfd5aa2b
112 changed files with 520 additions and 436 deletions
--- a/src/Conn.cc
+++ b/src/Conn.cc
@ -690,7 +690,8 @@ void Connection::IDString(zeek::ODesc* d) const
 	d->Add(ntohs(resp_port));
 	}
-void Connection::SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, ::analyzer::pia::PIA* pia)
+void Connection::SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer,
                                 zeek::analyzer::pia::PIA* pia)
 	{
 	root_analyzer = analyzer;
 	primary_PIA = pia;
--- a/src/Conn.h
+++ b/src/Conn.h
@ -303,9 +303,9 @@ public:
 	void DeleteTimer(double t);
 	// Sets the root of the analyzer tree as well as the primary PIA.
-	void SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, ::analyzer::pia::PIA* pia);
+	void SetRootAnalyzer(zeek::analyzer::TransportLayerAnalyzer* analyzer, zeek::analyzer::pia::PIA* pia);
 	zeek::analyzer::TransportLayerAnalyzer* GetRootAnalyzer()	{ return root_analyzer; }
-	::analyzer::pia::PIA* GetPrimaryPIA()	{ return primary_PIA; }
+	zeek::analyzer::pia::PIA* GetPrimaryPIA()	{ return primary_PIA; }
 	// Sets the transport protocol in use.
 	void SetTransport(TransportProto arg_proto)	{ proto = arg_proto; }
@ -382,7 +382,7 @@ protected:
 	uint32_t hist_seen;
 	zeek::analyzer::TransportLayerAnalyzer* root_analyzer;
-	::analyzer::pia::PIA* primary_PIA;
+	zeek::analyzer::pia::PIA* primary_PIA;
 	zeek::UID uid;	// Globally unique connection ID.
 	zeek::detail::WeirdStateMap weird_state;
--- a/src/Reassem.h
+++ b/src/Reassem.h
@ -27,7 +27,6 @@ enum ReassemblerType {
 class Reassembler;
 /**
 * A block/segment of data for use in the reassembly process.
 */
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@ -9,15 +9,15 @@
 #include "ID.h"
 #include "Val.h"
-static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e)
+static inline bool is_established(const zeek::analyzer::tcp::TCP_Endpoint* e)
 	{
 	// We more or less follow Snort here: an established session
 	// is one for which the initial handshake has succeded (but we
 	// add partial connections).  The connection tear-down is part
 	// of the connection.
-	return e->state != analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
+	return e->state != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
-	       e->state != analyzer::tcp::TCP_ENDPOINT_SYN_SENT &&
+	       e->state != zeek::analyzer::tcp::TCP_ENDPOINT_SYN_SENT &&
-	       e->state != analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT;
+	       e->state != zeek::analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT;
 	}
 namespace zeek::detail {
@ -30,7 +30,7 @@ bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
 	if ( ! root || ! root->IsAnalyzer("TCP") )
 		return false;
-	::analyzer::tcp::TCP_Analyzer* ta = static_cast<::analyzer::tcp::TCP_Analyzer*>(root);
+	auto* ta = static_cast<zeek::analyzer::tcp::TCP_Analyzer*>(root);
 	if ( tcpstates & STATE_STATELESS )
 		return true;
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@ -184,8 +184,8 @@ void RuleHdrTest::PrintDebug()
 	}
 RuleEndpointState::RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
-					  RuleEndpointState* arg_opposite,
+                                     RuleEndpointState* arg_opposite,
-					  ::analyzer::pia::PIA* arg_PIA)
+                                     zeek::analyzer::pia::PIA* arg_PIA)
 	{
 	payload_size = -1;
 	analyzer = arg_analyzer;
@ -741,7 +741,7 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
 RuleEndpointState* RuleMatcher::InitEndpoint(zeek::analyzer::Analyzer* analyzer,
                                             const zeek::IP_Hdr* ip, int caplen,
                                             RuleEndpointState* opposite,
-                                             bool from_orig, ::analyzer::pia::PIA* pia)
+                                             bool from_orig, zeek::analyzer::pia::PIA* pia)
 	{
 	RuleEndpointState* state =
 		new RuleEndpointState(analyzer, from_orig, opposite, pia);
@ -1420,7 +1420,7 @@ uint32_t id_to_uint(const char* id)
 	}
 void RuleMatcherState::InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
-                                           int caplen, bool from_orig, ::analyzer::pia::PIA* pia)
+                                           int caplen, bool from_orig, zeek::analyzer::pia::PIA* pia)
 	{
 	if ( ! rule_matcher )
 		return;
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@ -37,10 +37,7 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(IPPrefix, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer);
 ZEEK_FORWARD_DECLARE_NAMESPACED(IntSet, zeek::detail);
-
+ZEEK_FORWARD_DECLARE_NAMESPACED(PIA, zeek, analyzer::pia);
 namespace analyzer {
 	namespace pia { class PIA; }
 }
 namespace zeek::detail {
@ -154,7 +151,7 @@ public:
 	// Returns -1 if no chunk has been fed yet at all.
 	int PayloadSize()	{ return payload_size; }
-	::analyzer::pia::PIA* PIA() const	{ return pia; }
+	zeek::analyzer::pia::PIA* PIA() const	{ return pia; }
 private:
 	friend class RuleMatcher;
@ -162,7 +159,7 @@ private:
 	// Constructor is private; use RuleMatcher::InitEndpoint()
 	// for creating an instance.
 	RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
-	                  RuleEndpointState* arg_opposite, ::analyzer::pia::PIA* arg_PIA);
+	                  RuleEndpointState* arg_opposite, zeek::analyzer::pia::PIA* arg_PIA);
 	struct Matcher {
 		RE_Match_State* state;
@ -173,7 +170,7 @@ private:
 	zeek::analyzer::Analyzer* analyzer;
 	RuleEndpointState* opposite;
-	::analyzer::pia::PIA* pia;
+	zeek::analyzer::pia::PIA* pia;
 	matcher_list matchers;
 	rule_hdr_test_list hdr_tests;
@ -267,7 +264,7 @@ public:
 	// it needs to be given.
 	RuleEndpointState* InitEndpoint(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
 	                                int caplen, RuleEndpointState* opposite, bool is_orig,
-	                                ::analyzer::pia::PIA* pia);
+	                                zeek::analyzer::pia::PIA* pia);
 	// Finish matching for this stream.
 	void FinishEndpoint(RuleEndpointState* state);
@ -376,7 +373,7 @@ public:
 	// ip may be nil.
 	void InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
-	                         int caplen, bool from_orig, ::analyzer::pia::PIA* pia = nullptr);
+	                         int caplen, bool from_orig, zeek::analyzer::pia::PIA* pia = nullptr);
 	// bol/eol should be set to false for type Rule::PAYLOAD; they're
 	// deduced automatically.
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -72,7 +72,7 @@ void IPTunnelTimer::Dispatch(double t, bool is_expire)
 NetSessions::NetSessions()
 	{
 	if ( stp_correlate_pair )
-		stp_manager = new ::analyzer::stepping_stone::SteppingStoneManager();
+		stp_manager = new zeek::analyzer::stepping_stone::SteppingStoneManager();
 	else
 		stp_manager = nullptr;
@ -96,7 +96,7 @@ NetSessions::NetSessions()
 		pkt_profiler = nullptr;
 	if ( arp_request || arp_reply || bad_arp )
-		arp_analyzer = new ::analyzer::arp::ARP_Analyzer();
+		arp_analyzer = new zeek::analyzer::arp::ARP_Analyzer();
 	else
 		arp_analyzer = nullptr;
@ -403,9 +403,9 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP
 		const struct icmp* icmpp = (const struct icmp *) data;
 		id.src_port = icmpp->icmp_type;
-		id.dst_port = ::analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type,
+		id.dst_port = zeek::analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type,
-								icmpp->icmp_code,
+		                                                      icmpp->icmp_code,
-								id.is_one_way);
+		                                                      id.is_one_way);
 		id.src_port = htons(id.src_port);
 		id.dst_port = htons(id.dst_port);
@ -419,9 +419,9 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP
 		const struct icmp* icmpp = (const struct icmp *) data;
 		id.src_port = icmpp->icmp_type;
-		id.dst_port = ::analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type,
+		id.dst_port = zeek::analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type,
-								icmpp->icmp_code,
+		                                                      icmpp->icmp_code,
-								id.is_one_way);
+		                                                      id.is_one_way);
 		id.src_port = htons(id.src_port);
 		id.dst_port = htons(id.dst_port);
@ -1011,10 +1011,10 @@ void NetSessions::Remove(Connection* c)
 		if ( c->ConnTransport() == TRANSPORT_TCP )
 			{
-			auto ta = static_cast<::analyzer::tcp::TCP_Analyzer*>(c->GetRootAnalyzer());
+			auto ta = static_cast<zeek::analyzer::tcp::TCP_Analyzer*>(c->GetRootAnalyzer());
 			assert(ta->IsAnalyzer("TCP"));
-			::analyzer::tcp::TCP_Endpoint* to = ta->Orig();
+			zeek::analyzer::tcp::TCP_Endpoint* to = ta->Orig();
-			::analyzer::tcp::TCP_Endpoint* tr = ta->Resp();
+			zeek::analyzer::tcp::TCP_Endpoint* tr = ta->Resp();
 			tcp_stats.StateLeft(to->state, tr->state);
 			}
--- a/src/Sessions.h
+++ b/src/Sessions.h
@ -23,9 +23,8 @@ namespace zeek { struct ConnID; }
 using ConnID [[deprecated("Remove in v4.1. Use zeek::ConnID.")]] = zeek::ConnID;
 ZEEK_FORWARD_DECLARE_NAMESPACED(Discarder, zeek::detail);
-
+ZEEK_FORWARD_DECLARE_NAMESPACED(SteppingStoneManager, zeek, analyzer::stepping_stone);
-namespace analyzer { namespace stepping_stone { class SteppingStoneManager; } }
+ZEEK_FORWARD_DECLARE_NAMESPACED(ARP_Analyzer, zeek, analyzer::arp);
 namespace analyzer { namespace arp { class ARP_Analyzer; } }
 namespace zeek {
@ -95,7 +94,7 @@ public:
 		return packet_filter;
 		}
-	::analyzer::stepping_stone::SteppingStoneManager* GetSTPManager()	{ return stp_manager; }
+	zeek::analyzer::stepping_stone::SteppingStoneManager* GetSTPManager()	{ return stp_manager; }
 	unsigned int CurrentConnections()
 		{
@ -172,7 +171,7 @@ public:
 	unsigned int ConnectionMemoryUsage();
 	unsigned int ConnectionMemoryUsageConnVals();
 	unsigned int MemoryAllocation();
-	::analyzer::tcp::TCPStateStats tcp_stats;	// keeps statistics on TCP states
+	zeek::analyzer::tcp::TCPStateStats tcp_stats;	// keeps statistics on TCP states
 protected:
 	friend class ConnCompressor;
@ -235,9 +234,9 @@ protected:
 	using IPTunnelMap = std::map<IPPair, TunnelActivity>;
 	IPTunnelMap ip_tunnels;
-	::analyzer::arp::ARP_Analyzer* arp_analyzer;
+	zeek::analyzer::arp::ARP_Analyzer* arp_analyzer;
-	::analyzer::stepping_stone::SteppingStoneManager* stp_manager;
+	zeek::analyzer::stepping_stone::SteppingStoneManager* stp_manager;
 	zeek::detail::Discarder* discarder;
 	zeek::detail::PacketFilter* packet_filter;
 	uint64_t num_packets_processed;
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@ -19,6 +19,8 @@
 ZEEK_FORWARD_DECLARE_NAMESPACED(Connection, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Rule, zeek::detail);
 ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_ApplicationAnalyzer, zeek, analyzer::tcp);
 ZEEK_FORWARD_DECLARE_NAMESPACED(PIA, zeek, analyzer::pia);
 namespace zeek {
 using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
@ -29,11 +31,6 @@ using FilePtr = zeek::IntrusivePtr<File>;
 using BroFile [[deprecated("Remove in v4.1. Use zeek::File.")]] = zeek::File;
 using BroFilePtr [[deprecated("Remove in v4.1. Use zeek::FilePtr.")]] = zeek::FilePtr;
 namespace analyzer {
 namespace tcp { class TCP_ApplicationAnalyzer; }
 namespace pia { class PIA; }
 }
 namespace zeek::analyzer {
 class Analyzer;
@ -633,7 +630,7 @@ protected:
 	friend class AnalyzerTimer;
 	friend class Manager;
 	friend class zeek::Connection;
-	friend class ::analyzer::tcp::TCP_ApplicationAnalyzer;
+	friend class zeek::analyzer::tcp::TCP_ApplicationAnalyzer;
 	/**
 	 * Return a string represantation of an analyzer, containing its name
@ -938,13 +935,13 @@ public:
 	 * transport-layer input and determine which protocol analyzer(s) to
 	 * use for parsing it.
 	 */
-	void SetPIA(::analyzer::pia::PIA* arg_PIA)	{ pia = arg_PIA; }
+	void SetPIA(zeek::analyzer::pia::PIA* arg_PIA)	{ pia = arg_PIA; }
 	/**
 	 * Returns the associated PIA, or null of none. Does not take
 	 * ownership.
 	 */
-	::analyzer::pia::PIA* GetPIA() const		{ return pia; }
+	zeek::analyzer::pia::PIA* GetPIA() const		{ return pia; }
 	/**
 	 * Helper to raise a \c packet_contents event.
@ -956,7 +953,7 @@ public:
 	void PacketContents(const u_char* data, int len);
 private:
-	::analyzer::pia::PIA* pia;
+	zeek::analyzer::pia::PIA* pia;
 };
 } // namespace zeek::analyzer
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@ -20,7 +20,7 @@
 using namespace zeek::analyzer;
 Manager::ConnIndex::ConnIndex(const IPAddr& _orig, const IPAddr& _resp,
-				     uint16_t _resp_p, uint16_t _proto)
+                              uint16_t _resp_p, uint16_t _proto)
 	{
 	if ( _orig == IPAddr::v4_unspecified )
 		// don't use the IPv4 mapping, use the literal unspecified address
@ -360,31 +360,29 @@ Manager::tag_set* Manager::LookupPort(zeek::PortVal* val, bool add_if_not_found)
 bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 	{
-	::analyzer::tcp::TCP_Analyzer* tcp = nullptr;
+	zeek::analyzer::tcp::TCP_Analyzer* tcp = nullptr;
 	::analyzer::udp::UDP_Analyzer* udp = nullptr;
 	::analyzer::icmp::ICMP_Analyzer* icmp = nullptr;
 	TransportLayerAnalyzer* root = nullptr;
-	::analyzer::pia::PIA* pia = nullptr;
+	zeek::analyzer::pia::PIA* pia = nullptr;
 	bool check_port = false;
 	switch ( conn->ConnTransport() ) {
 	case TRANSPORT_TCP:
-		root = tcp = new ::analyzer::tcp::TCP_Analyzer(conn);
+		root = tcp = new zeek::analyzer::tcp::TCP_Analyzer(conn);
-		pia = new ::analyzer::pia::PIA_TCP(conn);
+		pia = new zeek::analyzer::pia::PIA_TCP(conn);
 		check_port = true;
 		DBG_ANALYZER(conn, "activated TCP analyzer");
 		break;
 	case TRANSPORT_UDP:
-		root = udp = new ::analyzer::udp::UDP_Analyzer(conn);
+		root = new zeek::analyzer::udp::UDP_Analyzer(conn);
-		pia = new ::analyzer::pia::PIA_UDP(conn);
+		pia = new zeek::analyzer::pia::PIA_UDP(conn);
 		check_port = true;
 		DBG_ANALYZER(conn, "activated UDP analyzer");
 		break;
 	case TRANSPORT_ICMP: {
-		root = icmp = new ::analyzer::icmp::ICMP_Analyzer(conn);
+		root = new zeek::analyzer::icmp::ICMP_Analyzer(conn);
 		DBG_ANALYZER(conn, "activated ICMP analyzer");
 		break;
 		}
@ -466,14 +464,14 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 				auto src = zeek::make_intrusive<zeek::AddrVal>(conn->OrigAddr());
 				if ( ! stp_skip_src->FindOrDefault(src) )
-					tcp->AddChildAnalyzer(new ::analyzer::stepping_stone::SteppingStone_Analyzer(conn), false);
+					tcp->AddChildAnalyzer(new zeek::analyzer::stepping_stone::SteppingStone_Analyzer(conn), false);
 				}
 			}
 		if ( IsEnabled(analyzer_tcpstats) )
 			// Add TCPStats analyzer. This needs to see packets so
 			// we cannot add it as a normal child.
-			tcp->AddChildPacketAnalyzer(new ::analyzer::tcp::TCPStats_Analyzer(conn));
+			tcp->AddChildPacketAnalyzer(new zeek::analyzer::tcp::TCPStats_Analyzer(conn));
 		if ( IsEnabled(analyzer_connsize) )
 			// Add ConnSize analyzer. Needs to see packets, not stream.
--- a/src/analyzer/protocol/arp/ARP.cc
+++ b/src/analyzer/protocol/arp/ARP.cc
@ -7,7 +7,7 @@
 #include "events.bif.h"
-using namespace analyzer::arp;
+namespace zeek::analyzer::arp {
 ARP_Analyzer::ARP_Analyzer()
 	{
@ -240,3 +240,5 @@ zeek::StringValPtr ARP_Analyzer::ToEthAddrStr(const u_char* addr)
 			addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
 	return zeek::make_intrusive<zeek::StringVal>(buf);
 	}
 } // namespace zeek::analyzer::arp
--- a/src/analyzer/protocol/arp/ARP.h
+++ b/src/analyzer/protocol/arp/ARP.h
@ -30,7 +30,7 @@ extern "C" {
 #include <pcap.h>
 }
-namespace analyzer::arp {
+namespace zeek::analyzer::arp {
 class ARP_Analyzer : public zeek::Obj {
 public:
@ -57,4 +57,8 @@ protected:
 	void Corrupted(const char* string);
 };
-} // namespace analyzer::arp
+} // namespace zeek::analyzer::arp
 namespace analyer::arp {
 	using ARP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::arp::ARP_Analyzer.")]] = zeek::analyzer::arp::ARP_Analyzer;
 }
--- a/src/analyzer/protocol/bittorrent/BitTorrent.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc
@ -8,7 +8,7 @@
 using namespace analyzer::bittorrent;
 BitTorrent_Analyzer::BitTorrent_Analyzer(zeek::Connection* c)
-: tcp::TCP_ApplicationAnalyzer("BITTORRENT", c)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENT", c)
 	{
 	interp = new binpac::BitTorrent::BitTorrent_Conn(this);
 	stop_orig = stop_resp = false;
@ -22,7 +22,7 @@ BitTorrent_Analyzer::~BitTorrent_Analyzer()
 void BitTorrent_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -33,7 +33,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	uint64_t& this_stream_len = orig ? stream_len_orig : stream_len_resp;
 	bool& this_stop = orig ? stop_orig : stop_resp;
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
@ -70,7 +70,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	// TODO: Code commented out for now. I think that shoving data that
 	// is definitely wrong into the parser seems like a really bad idea.
@ -112,7 +112,7 @@ void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
--- a/src/analyzer/protocol/bittorrent/BitTorrent.h
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.h
@ -8,7 +8,7 @@
 namespace analyzer { namespace bittorrent {
-class BitTorrent_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class BitTorrent_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit BitTorrent_Analyzer(zeek::Connection* conn);
 	~BitTorrent_Analyzer() override;
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
@ -22,7 +22,7 @@ static zeek::RecordTypePtr bittorrent_benc_value;
 static zeek::TableTypePtr bittorrent_benc_dir;
 BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(zeek::Connection* c)
-: tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c)
 	{
 	if ( ! bt_tracker_headers )
 		{
@ -78,13 +78,13 @@ BitTorrentTracker_Analyzer::~BitTorrentTracker_Analyzer()
 void BitTorrentTracker_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	}
 void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data,
 						bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
@ -208,7 +208,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
 void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	ProtocolViolation("BitTorrentTracker: cannot recover from content gap");
@ -220,7 +220,7 @@ void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	}
 void BitTorrentTracker_Analyzer::InitBencParser(void)
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
@ -43,7 +43,7 @@ enum btt_benc_states {
 	BENC_STATE_STR2,
 };
-class BitTorrentTracker_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class BitTorrentTracker_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit BitTorrentTracker_Analyzer(zeek::Connection* conn);
 	~BitTorrentTracker_Analyzer() override;
--- a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc
+++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc
@ -13,7 +13,7 @@ using namespace std;
 using namespace analyzer::dce_rpc;
 DCE_RPC_Analyzer::DCE_RPC_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn)
+	: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn)
 	{
 	had_gap = false;
 	interp = new binpac::DCE_RPC::DCE_RPC_Conn(this);
--- a/src/analyzer/protocol/dce-rpc/DCE_RPC.h
+++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.h
@ -11,7 +11,7 @@
 namespace analyzer { namespace dce_rpc {
-class DCE_RPC_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class DCE_RPC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit DCE_RPC_Analyzer(zeek::Connection* conn);
 	~DCE_RPC_Analyzer() override;
--- a/src/analyzer/protocol/dnp3/DNP3.h
+++ b/src/analyzer/protocol/dnp3/DNP3.h
@ -61,7 +61,7 @@ protected:
 	Endpoint resp_state;
 };
-class DNP3_TCP_Analyzer : public DNP3_Base, public tcp::TCP_ApplicationAnalyzer {
+class DNP3_TCP_Analyzer : public DNP3_Base, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit DNP3_TCP_Analyzer(zeek::Connection* conn);
 	~DNP3_TCP_Analyzer() override;
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@ -1797,7 +1797,7 @@ zeek::RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
 Contents_DNS::Contents_DNS(zeek::Connection* conn, bool orig,
 				DNS_Interpreter* arg_interp)
-: tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
+: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
 	{
 	interp = arg_interp;
@ -1890,7 +1890,7 @@ void Contents_DNS::ProcessChunk(int& len, const u_char*& data, bool orig)
 	}
 DNS_Analyzer::DNS_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("DNS", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("DNS", conn)
 	{
 	interp = new DNS_Interpreter(this);
 	contents_dns_orig = contents_dns_resp = nullptr;
@ -1921,7 +1921,7 @@ void DNS_Analyzer::Init()
 void DNS_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	if ( Conn()->ConnTransport() == TRANSPORT_UDP )
 		Event(udp_session_done);
@ -1932,15 +1932,16 @@ void DNS_Analyzer::Done()
 void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 					uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 	interp->ParseMessage(data, len, orig ? 1 : 0);
 	}
-void DNS_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, tcp::TCP_Endpoint* peer,
+void DNS_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint,
-					bool gen_event)
+                                    zeek::analyzer::tcp::TCP_Endpoint* peer,
                                    bool gen_event)
 	{
-	tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
 	assert(contents_dns_orig && contents_dns_resp);
 	contents_dns_orig->Flush();
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@ -369,7 +369,7 @@ typedef enum {
 // Support analyzer which chunks the TCP stream into "packets".
 // ### This should be merged with TCP_Contents_RPC.
-class Contents_DNS final : public tcp::TCP_SupportAnalyzer {
+class Contents_DNS final : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
 public:
 	Contents_DNS(zeek::Connection* c, bool orig, DNS_Interpreter* interp);
 	~Contents_DNS() override;
@ -392,7 +392,7 @@ protected:
 };
 // Works for both TCP and UDP.
-class DNS_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class DNS_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit DNS_Analyzer(zeek::Connection* conn);
 	~DNS_Analyzer() override;
@ -402,8 +402,8 @@ public:
 	void Init() override;
 	void Done() override;
-	void ConnectionClosed(tcp::TCP_Endpoint* endpoint,
+	void ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint,
-					tcp::TCP_Endpoint* peer, bool gen_event) override;
+	                      zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override;
 	void ExpireTimer(double t);
 	static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
--- a/src/analyzer/protocol/file/File.cc
+++ b/src/analyzer/protocol/file/File.cc
@ -19,7 +19,7 @@ File_Analyzer::File_Analyzer(const char* name, zeek::Connection* conn)
 void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	int n = std::min(len, BUFFER_SIZE - buffer_len);
@ -54,7 +54,7 @@ void File_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 void File_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	if ( buffer_len && buffer_len != BUFFER_SIZE )
 		Identify();
--- a/src/analyzer/protocol/file/File.h
+++ b/src/analyzer/protocol/file/File.h
@ -8,7 +8,7 @@
 namespace analyzer { namespace file {
-class File_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+class File_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	File_Analyzer(const char* name, zeek::Connection* conn);
--- a/src/analyzer/protocol/finger/Finger.cc
+++ b/src/analyzer/protocol/finger/Finger.cc
@ -14,24 +14,24 @@
 using namespace analyzer::finger;
 Finger_Analyzer::Finger_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("FINGER", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FINGER", conn)
 	{
 	did_deliver = 0;
-	content_line_orig = new tcp::ContentLine_Analyzer(conn, true, 1000);
+	content_line_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
 	content_line_orig->SetIsNULSensitive(true);
-	content_line_resp = new tcp::ContentLine_Analyzer(conn, false, 1000);
+	content_line_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
 	AddSupportAnalyzer(content_line_orig);
 	AddSupportAnalyzer(content_line_resp);
 	}
 void Finger_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	if ( TCP() )
 		if ( (! did_deliver || content_line_orig->HasPartialLine()) &&
-		     (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED ||
+		     (TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ||
-		      TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) )
+		      TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) )
 			// ### should include the partial text
 			Weird("partial_finger_request");
 	}
--- a/src/analyzer/protocol/finger/Finger.h
+++ b/src/analyzer/protocol/finger/Finger.h
@ -7,7 +7,7 @@
 namespace analyzer { namespace finger {
-class Finger_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+class Finger_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit Finger_Analyzer(zeek::Connection* conn);
 	~Finger_Analyzer() override {}
@ -20,8 +20,8 @@ public:
 		{ return new Finger_Analyzer(conn); }
 protected:
-	tcp::ContentLine_Analyzer* content_line_orig;
+	zeek::analyzer::tcp::ContentLine_Analyzer* content_line_orig;
-	tcp::ContentLine_Analyzer* content_line_resp;
+	zeek::analyzer::tcp::ContentLine_Analyzer* content_line_resp;
 	int did_deliver;
 };
--- a/src/analyzer/protocol/ftp/FTP.cc
+++ b/src/analyzer/protocol/ftp/FTP.cc
@ -18,7 +18,7 @@
 using namespace analyzer::ftp;
 FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("FTP", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("FTP", conn)
 	{
 	pending_reply = 0;
@ -43,11 +43,11 @@ FTP_Analyzer::FTP_Analyzer(zeek::Connection* conn)
 void FTP_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	if ( nvt_orig->HasPartialLine() &&
-	     (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED ||
+	     (TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ||
-	      TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) )
+	      TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) )
 		// ### should include the partial text
 		Weird("partial_ftp_request");
 	}
@ -62,7 +62,7 @@ static uint32_t get_reply_code(int len, const char* line)
 void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);
 	if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) )
 		return;
--- a/src/analyzer/protocol/ftp/FTP.h
+++ b/src/analyzer/protocol/ftp/FTP.h
@ -8,7 +8,7 @@ namespace analyzer { namespace login { class NVT_Analyzer; }}
 namespace analyzer { namespace ftp {
-class FTP_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class FTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit FTP_Analyzer(zeek::Connection* conn);
--- a/src/analyzer/protocol/gnutella/Gnutella.cc
+++ b/src/analyzer/protocol/gnutella/Gnutella.cc
@ -34,7 +34,7 @@ GnutellaMsgState::GnutellaMsgState()
 Gnutella_Analyzer::Gnutella_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn)
 	{
 	state = 0;
 	new_state = 0;
@ -54,7 +54,7 @@ Gnutella_Analyzer::~Gnutella_Analyzer()
 void Gnutella_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
 		{
@ -126,9 +126,9 @@ bool Gnutella_Analyzer::IsHTTP(std::string header)
 		if ( Parent()->IsAnalyzer("TCP") )
 			{
 			// Replay buffered data.
-			pia::PIA* pia = static_cast<zeek::analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
+			zeek::analyzer::pia::PIA* pia = static_cast<zeek::analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
 			if ( pia )
-				static_cast<pia::PIA_TCP *>(pia)->ReplayStreamBuffer(a);
+				static_cast<zeek::analyzer::pia::PIA_TCP *>(pia)->ReplayStreamBuffer(a);
 			}
 		Parent()->RemoveChildAnalyzer(this);
@ -301,7 +301,7 @@ void Gnutella_Analyzer::DeliverMessages(int len, const u_char* data, bool orig)
 void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	ms = orig ? orig_msg_state : resp_msg_state;
 	ms->current_offset = 0;
--- a/src/analyzer/protocol/gnutella/Gnutella.h
+++ b/src/analyzer/protocol/gnutella/Gnutella.h
@ -33,7 +33,7 @@ public:
 };
-class Gnutella_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+class Gnutella_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit Gnutella_Analyzer(zeek::Connection* conn);
 	~Gnutella_Analyzer() override;
--- a/src/analyzer/protocol/gssapi/GSSAPI.cc
+++ b/src/analyzer/protocol/gssapi/GSSAPI.cc
@ -8,7 +8,7 @@
 using namespace analyzer::gssapi;
 GSSAPI_Analyzer::GSSAPI_Analyzer(zeek::Connection* c)
-	: tcp::TCP_ApplicationAnalyzer("GSSAPI", c)
+	: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("GSSAPI", c)
 	{
 	interp = new binpac::GSSAPI::GSSAPI_Conn(this);
 	}
@ -20,7 +20,7 @@ GSSAPI_Analyzer::~GSSAPI_Analyzer()
 void GSSAPI_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -28,13 +28,13 @@ void GSSAPI_Analyzer::Done()
 void GSSAPI_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
@ -51,6 +51,6 @@ void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void GSSAPI_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	interp->NewGap(orig, len);
 	}
--- a/src/analyzer/protocol/gssapi/GSSAPI.h
+++ b/src/analyzer/protocol/gssapi/GSSAPI.h
@ -9,7 +9,7 @@
 namespace analyzer { namespace gssapi {
-class GSSAPI_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class GSSAPI_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit GSSAPI_Analyzer(zeek::Connection* conn);
@ -21,7 +21,7 @@ public:
 	void DeliverStream(int len, const u_char* data, bool orig) override;
 	void Undelivered(uint64_t seq, int len, bool orig) override;
-	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;
 	static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@ -595,8 +595,8 @@ void HTTP_Entity::SubmitAllHeaders()
 	}
 HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer,
-				tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig,
+                           zeek::analyzer::tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig,
-				int expect_body, int64_t init_header_length)
+                           int expect_body, int64_t init_header_length)
 : MIME_Message (arg_analyzer)
 	{
 	analyzer = arg_analyzer;
@ -836,7 +836,7 @@ void HTTP_Message::Weird(const char* msg)
 	}
 HTTP_Analyzer::HTTP_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("HTTP", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("HTTP", conn)
 	{
 	num_requests = num_replies = 0;
 	num_request_lines = num_reply_lines = 0;
@ -858,10 +858,10 @@ HTTP_Analyzer::HTTP_Analyzer(zeek::Connection* conn)
 	upgrade_connection = false;
 	upgrade_protocol.clear();
-	content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
+	content_line_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true);
 	AddSupportAnalyzer(content_line_orig);
-	content_line_resp = new tcp::ContentLine_Analyzer(conn, false);
+	content_line_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false);
 	content_line_resp->SetSkipPartial(true);
 	AddSupportAnalyzer(content_line_resp);
 	}
@ -871,7 +871,7 @@ void HTTP_Analyzer::Done()
 	if ( IsFinished() )
 		return;
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	RequestMade(true, "message interrupted when connection done");
 	ReplyMade(true, "message interrupted when connection done");
@ -897,7 +897,7 @@ void HTTP_Analyzer::Done()
 void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
 	if ( TCP() && TCP()->IsPartial() )
 		return;
@ -916,7 +916,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 	const char* line = reinterpret_cast<const char*>(data);
 	const char* end_of_line = line + len;
-	tcp::ContentLine_Analyzer* content_line =
+	zeek::analyzer::tcp::ContentLine_Analyzer* content_line =
 		is_orig ? content_line_orig : content_line_resp;
 	if ( content_line->IsPlainDelivery() )
@ -1048,7 +1048,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 				{
 				// End of message header reached, set up
 				// tunnel decapsulation.
-				pia = new pia::PIA_TCP(Conn());
+				pia = new zeek::analyzer::pia::PIA_TCP(Conn());
 				if ( AddChildAnalyzer(pia) )
 					{
@ -1080,14 +1080,14 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 void HTTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
 	// DEBUG_MSG("Undelivered from %"PRIu64": %d bytes\n", seq, length);
 	HTTP_Message* msg =
 		is_orig ? request_message : reply_message;
-	tcp::ContentLine_Analyzer* content_line =
+	zeek::analyzer::tcp::ContentLine_Analyzer* content_line =
 		is_orig ? content_line_orig : content_line_resp;
 	if ( ! content_line->IsSkippedContents(seq, len) )
@ -1123,7 +1123,7 @@ void HTTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
 void HTTP_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	// DEBUG_MSG("%.6f eof\n", network_time);
@ -1135,7 +1135,7 @@ void HTTP_Analyzer::EndpointEOF(bool is_orig)
 void HTTP_Analyzer::ConnectionFinished(bool half_finished)
 	{
-	tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
 	// DEBUG_MSG("%.6f connection finished\n", network_time);
 	RequestMade(true, "message ends as connection is finished");
@ -1144,7 +1144,7 @@ void HTTP_Analyzer::ConnectionFinished(bool half_finished)
 void HTTP_Analyzer::ConnectionReset()
 	{
-	tcp::TCP_ApplicationAnalyzer::ConnectionReset();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionReset();
 	RequestMade(true, "message interrupted by RST");
 	ReplyMade(true, "message interrupted by RST");
@ -1152,7 +1152,7 @@ void HTTP_Analyzer::ConnectionReset()
 void HTTP_Analyzer::PacketWithRST()
 	{
-	tcp::TCP_ApplicationAnalyzer::PacketWithRST();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::PacketWithRST();
 	RequestMade(true, "message interrupted by RST");
 	ReplyMade(true, "message interrupted by RST");
@ -1680,8 +1680,8 @@ void HTTP_Analyzer::HTTP_MessageDone(bool is_orig, HTTP_Message* /* message */)
 		ReplyMade(false, "message ends normally");
 	}
-void HTTP_Analyzer::InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message,
+void HTTP_Analyzer::InitHTTPMessage(zeek::analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message,
-		bool is_orig, int expect_body, int64_t init_header_length)
+                                    bool is_orig, int expect_body, int64_t init_header_length)
 	{
 	if ( message )
 		{
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@ -100,8 +100,8 @@ class HTTP_Message final : public mime::MIME_Message {
 friend class HTTP_Entity;
 public:
-	HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl,
+	HTTP_Message(HTTP_Analyzer* analyzer, zeek::analyzer::tcp::ContentLine_Analyzer* cl,
-			 bool is_orig, int expect_body, int64_t init_header_length);
+	             bool is_orig, int expect_body, int64_t init_header_length);
 	~HTTP_Message() override;
 	void Done(bool interrupted, const char* msg);
 	void Done() override { Done(false, "message ends normally"); }
@ -129,7 +129,7 @@ public:
 protected:
 	HTTP_Analyzer* analyzer;
-	tcp::ContentLine_Analyzer* content_line;
+	zeek::analyzer::tcp::ContentLine_Analyzer* content_line;
 	bool is_orig;
 	char* entity_data_buffer;
@ -148,7 +148,7 @@ protected:
 	zeek::RecordValPtr BuildMessageStat(bool interrupted, const char* msg);
 };
-class HTTP_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class HTTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	HTTP_Analyzer(zeek::Connection* conn);
@ -168,7 +168,7 @@ public:
 	void DeliverStream(int len, const u_char* data, bool orig) override;
 	void Undelivered(uint64_t seq, int len, bool orig) override;
-	// Overriden from tcp::TCP_ApplicationAnalyzer
+	// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer
 	void EndpointEOF(bool is_orig) override;
 	void ConnectionFinished(bool half_finished) override;
 	void ConnectionReset() override;
@ -210,8 +210,8 @@ protected:
 	int HTTP_RequestLine(const char* line, const char* end_of_line);
 	int HTTP_ReplyLine(const char* line, const char* end_of_line);
-	void InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
+	void InitHTTPMessage(zeek::analyzer::tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
-				int expect_body, int64_t init_header_length);
+	                     int expect_body, int64_t init_header_length);
 	const char* PrefixMatch(const char* line, const char* end_of_line,
 				const char* prefix);
@ -248,7 +248,7 @@ protected:
 	int request_ongoing, reply_ongoing;
 	bool connect_request;
-	pia::PIA_TCP *pia;
+	zeek::analyzer::pia::PIA_TCP *pia;
 	// set to true after a connection was upgraded
 	bool upgraded;
 	// set to true when encountering an "connection" header in a reply.
@ -271,8 +271,8 @@ protected:
 	int reply_code;
 	zeek::StringValPtr reply_reason_phrase;
-	tcp::ContentLine_Analyzer* content_line_orig;
+	zeek::analyzer::tcp::ContentLine_Analyzer* content_line_orig;
-	tcp::ContentLine_Analyzer* content_line_resp;
+	zeek::analyzer::tcp::ContentLine_Analyzer* content_line_resp;
 	HTTP_Message* request_message;
 	HTTP_Message* reply_message;
--- a/src/analyzer/protocol/icmp/ICMP.cc
+++ b/src/analyzer/protocol/icmp/ICMP.cc
@ -18,7 +18,7 @@
 #include <netinet/icmp6.h>
-using namespace analyzer::icmp;
+namespace zeek::analyzer::icmp {
 ICMP_Analyzer::ICMP_Analyzer(zeek::Connection* c)
 	: TransportLayerAnalyzer("ICMP", c),
@ -873,7 +873,7 @@ zeek::VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* da
 	return vv;
 	}
-int analyzer::icmp::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
+int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
 	{
 	is_one_way = false;
@ -901,7 +901,7 @@ int analyzer::icmp::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one
 	}
 	}
-int analyzer::icmp::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
+int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
 	{
 	is_one_way = false;
@ -932,3 +932,5 @@ int analyzer::icmp::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one
 	default:			is_one_way = true; return icmp_code;
 	}
 	}
 } // namespace zeek::analyzer::icmp
--- a/src/analyzer/protocol/icmp/ICMP.h
+++ b/src/analyzer/protocol/icmp/ICMP.h
@ -11,12 +11,12 @@ namespace zeek {
 using VectorValPtr = zeek::IntrusivePtr<VectorVal>;
 }
-namespace analyzer { namespace icmp {
+namespace zeek::analyzer::icmp {
-typedef enum {
+enum ICMP_EndpointState {
 	ICMP_INACTIVE,	// no packet seen
 	ICMP_ACTIVE,	// packets seen
-} ICMP_EndpointState;
+};
 // We do not have an PIA for ICMP (yet) and therefore derive from
 // RuleMatcherState to perform our own matching.
@ -98,4 +98,17 @@ private:
 extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way);
 extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way);
-} } // namespace analyzer::*
+} // namespace zeek::analyzer::icmp
 namespace analyzer::icmp {
 	using ICMP_EndpointState [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP_EndpointState.")]] = zeek::analyzer::icmp::ICMP_EndpointState;
 	constexpr auto ICMP_INACTIVE [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP_INACTIVE.")]] = zeek::analyzer::icmp::ICMP_INACTIVE;
 	constexpr auto ICMP_ACTIVE [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP_ACTIVE.")]] = zeek::analyzer::icmp::ICMP_ACTIVE;
 	using ICMP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP_Analyzer.")]] = zeek::analyzer::icmp::ICMP_Analyzer;
 	constexpr auto ICMP4_counterpart [[deprecated("Remove in v4.1. Use zeek::analyzer::icmp::ICMP4_counterpart.")]] = zeek::analyzer::icmp::ICMP4_counterpart;
 	constexpr auto ICMP6_counterpart [[deprecated("Remove in v6.1. Use zeek::analyzer::icmp::ICMP6_counterpart.")]] = zeek::analyzer::icmp::ICMP6_counterpart;
 } // namespace analyzer::icmp
--- a/src/analyzer/protocol/icmp/Plugin.cc
+++ b/src/analyzer/protocol/icmp/Plugin.cc
@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure() override
 		{
-		AddComponent(new zeek::analyzer::Component("ICMP", ::analyzer::icmp::ICMP_Analyzer::Instantiate));
+		AddComponent(new zeek::analyzer::Component("ICMP", zeek::analyzer::icmp::ICMP_Analyzer::Instantiate));
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::ICMP";
--- a/src/analyzer/protocol/ident/Ident.cc
+++ b/src/analyzer/protocol/ident/Ident.cc
@ -14,12 +14,12 @@
 using namespace analyzer::ident;
 Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("IDENT", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IDENT", conn)
 	{
 	did_bad_reply = did_deliver = false;
-	orig_ident = new tcp::ContentLine_Analyzer(conn, true, 1000);
+	orig_ident = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
-	resp_ident = new tcp::ContentLine_Analyzer(conn, false, 1000);
+	resp_ident = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
 	orig_ident->SetIsNULSensitive(true);
 	resp_ident->SetIsNULSensitive(true);
@ -30,29 +30,29 @@ Ident_Analyzer::Ident_Analyzer(zeek::Connection* conn)
 void Ident_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	if ( TCP() )
 		if ( (! did_deliver || orig_ident->HasPartialLine()) &&
-		     (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED ||
+		     (TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED ||
-		      TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) &&
+		      TCP()->OrigPrevState() == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED) &&
-		     TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_PARTIAL &&
+		     TCP()->OrigPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL &&
-		     TCP()->RespPrevState() != tcp::TCP_ENDPOINT_PARTIAL &&
+		     TCP()->RespPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL &&
-		     TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_INACTIVE &&
+		     TCP()->OrigPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
-		     TCP()->RespPrevState() != tcp::TCP_ENDPOINT_INACTIVE )
+		     TCP()->RespPrevState() != zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE )
 			Weird("partial_ident_request");
 	}
 void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
 	int remote_port, local_port;
 	const char* line = (const char*) data;
 	const char* orig_line = line;
 	const char* end_of_line = line + length;
-	tcp::TCP_Endpoint* s = nullptr;
+	zeek::analyzer::tcp::TCP_Endpoint* s = nullptr;
 	if ( TCP() )
 		s = is_orig ? TCP()->Orig() : TCP()->Resp();
@ -68,9 +68,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 		line = ParsePair(line, end_of_line, remote_port, local_port);
 		if ( ! line )
 			{
-			if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED &&
+			if ( s && s->state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED &&
-			     (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE ||
+			     (s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE ||
-			      s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) )
+			      s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL) )
 				// not surprising the request is mangled.
 				return;
@ -102,9 +102,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 		if ( ! line || line == end_of_line || line[0] != ':' )
 			{
-			if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED &&
+			if ( s && s->state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED &&
-			     (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE ||
+			     (s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE ||
-			      s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) )
+			      s->prev_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL) )
 				// not surprising the request is mangled.
 				return;
--- a/src/analyzer/protocol/ident/Ident.h
+++ b/src/analyzer/protocol/ident/Ident.h
@ -7,7 +7,7 @@
 namespace analyzer { namespace ident {
-class Ident_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+class Ident_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit Ident_Analyzer(zeek::Connection* conn);
 	void Done() override;
@ -26,8 +26,8 @@ protected:
 	void BadRequest(int length, const char* line);
 	void BadReply(int length, const char* line);
-	tcp::ContentLine_Analyzer* orig_ident;
+	zeek::analyzer::tcp::ContentLine_Analyzer* orig_ident;
-	tcp::ContentLine_Analyzer* resp_ident;
+	zeek::analyzer::tcp::ContentLine_Analyzer* resp_ident;
 	bool did_deliver;
 	bool did_bad_reply;
--- a/src/analyzer/protocol/imap/IMAP.cc
+++ b/src/analyzer/protocol/imap/IMAP.cc
@ -7,7 +7,7 @@
 using namespace analyzer::imap;
 IMAP_Analyzer::IMAP_Analyzer(zeek::Connection* conn)
-	: tcp::TCP_ApplicationAnalyzer("IMAP", conn)
+	: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IMAP", conn)
 	{
 	interp = new binpac::IMAP::IMAP_Conn(this);
 	had_gap = false;
@ -21,7 +21,7 @@ IMAP_Analyzer::~IMAP_Analyzer()
 void IMAP_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -29,13 +29,13 @@ void IMAP_Analyzer::Done()
 void IMAP_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	if ( tls_active )
 		{
@ -67,7 +67,7 @@ void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void IMAP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	had_gap = true;
 	interp->NewGap(orig, len);
 	}
--- a/src/analyzer/protocol/imap/IMAP.h
+++ b/src/analyzer/protocol/imap/IMAP.h
@ -10,7 +10,7 @@
 namespace analyzer { namespace imap {
-class IMAP_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class IMAP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit IMAP_Analyzer(zeek::Connection* conn);
 	~IMAP_Analyzer() override;
@ -19,7 +19,7 @@ public:
 	void DeliverStream(int len, const u_char* data, bool orig) override;
 	void Undelivered(uint64_t seq, int len, bool orig) override;
-	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;
 	void StartTLS();
--- a/src/analyzer/protocol/irc/IRC.cc
+++ b/src/analyzer/protocol/irc/IRC.cc
@ -13,7 +13,7 @@ using namespace analyzer::irc;
 using namespace std;
 IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("IRC", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("IRC", conn)
 	{
 	invalid_msg_count = 0;
 	invalid_msg_max_count = 20;
@ -22,15 +22,15 @@ IRC_Analyzer::IRC_Analyzer(zeek::Connection* conn)
 	orig_zip_status = NO_ZIP;
 	resp_zip_status = NO_ZIP;
 	starttls = false;
-	cl_orig = new tcp::ContentLine_Analyzer(conn, true, 1000);
+	cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true, 1000);
 	AddSupportAnalyzer(cl_orig);
-	cl_resp = new tcp::ContentLine_Analyzer(conn, false, 1000);
+	cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false, 1000);
 	AddSupportAnalyzer(cl_resp);
 	}
 void IRC_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	}
 inline void IRC_Analyzer::SkipLeadingWhitespace(string& str)
@ -46,7 +46,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	{
 	static auto irc_join_list = zeek::id::find_type<zeek::TableType>("irc_join_list");
 	static auto irc_join_info = zeek::id::find_type<zeek::RecordType>("irc_join_info");
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
 	if ( starttls )
 		{
--- a/src/analyzer/protocol/irc/IRC.h
+++ b/src/analyzer/protocol/irc/IRC.h
@ -9,7 +9,7 @@ namespace analyzer { namespace irc {
 /**
 * \brief Main class for analyzing IRC traffic.
 */
-class IRC_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class IRC_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 	enum { WAIT_FOR_REGISTRATION, REGISTERED, };
 	enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, };
 public:
@ -64,8 +64,8 @@ private:
 	*/
 	std::vector<std::string> SplitWords(const std::string& input, char split);
-	tcp::ContentLine_Analyzer* cl_orig;
+	zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig;
-	tcp::ContentLine_Analyzer* cl_resp;
+	zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp;
 	bool starttls; // if true, connection has been upgraded to tls
 };
--- a/src/analyzer/protocol/krb/KRB_TCP.cc
+++ b/src/analyzer/protocol/krb/KRB_TCP.cc
@ -8,7 +8,7 @@
 using namespace analyzer::krb_tcp;
 KRB_Analyzer::KRB_Analyzer(zeek::Connection* conn)
-	: tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn)
+	: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("KRB_TCP", conn)
 	{
 	interp = new binpac::KRB_TCP::KRB_Conn(this);
 	had_gap = false;
@ -21,7 +21,7 @@ KRB_Analyzer::~KRB_Analyzer()
 void KRB_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -29,13 +29,13 @@ void KRB_Analyzer::Done()
 void KRB_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
 	if ( TCP()->IsPartial() )
@ -59,7 +59,7 @@ void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void KRB_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	had_gap = true;
 	interp->NewGap(orig, len);
 	}
--- a/src/analyzer/protocol/krb/KRB_TCP.h
+++ b/src/analyzer/protocol/krb/KRB_TCP.h
@ -8,7 +8,7 @@
 namespace analyzer { namespace krb_tcp {
-class KRB_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class KRB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit KRB_Analyzer(zeek::Connection* conn);
@ -18,7 +18,7 @@ public:
 	void DeliverStream(int len, const u_char* data, bool orig) override;
 	void Undelivered(uint64_t seq, int len, bool orig) override;
-	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;
 	zeek::StringValPtr GetAuthenticationInfo(const zeek::String* principal,
--- a/src/analyzer/protocol/login/Login.cc
+++ b/src/analyzer/protocol/login/Login.cc
@ -28,7 +28,7 @@ static zeek::RE_Matcher* re_login_timeouts;
 static zeek::RE_Matcher* init_RE(zeek::ListVal* l);
 Login_Analyzer::Login_Analyzer(const char* name, zeek::Connection* conn)
-    : tcp::TCP_ApplicationAnalyzer(name, conn), user_text()
+    : zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn), user_text()
 	{
 	state = LOGIN_STATE_AUTHENTICATE;
 	num_user_lines_seen = lines_scanned = 0;
@ -80,7 +80,7 @@ Login_Analyzer::~Login_Analyzer()
 void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
 	char* str = new char[length+1];
@ -117,8 +117,8 @@ void Login_Analyzer::NewLine(bool orig, char* line)
 	if ( state == LOGIN_STATE_AUTHENTICATE )
 		{
-		if ( TCP()->OrigState() == tcp::TCP_ENDPOINT_PARTIAL ||
+		if ( TCP()->OrigState() == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
-		     TCP()->RespState() == tcp::TCP_ENDPOINT_PARTIAL )
+		     TCP()->RespState() == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL )
 			state = LOGIN_STATE_CONFUSED;	// unknown login state
 		else
 			{
@ -364,7 +364,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
 void Login_Analyzer::EndpointEOF(bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
 	if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() )
 		{
--- a/src/analyzer/protocol/login/Login.h
+++ b/src/analyzer/protocol/login/Login.h
@ -20,7 +20,7 @@ typedef enum {
 // Maximum # lines look after login for failure.
 #define MAX_LOGIN_LOOKAHEAD 10
-class Login_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+class Login_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	Login_Analyzer(const char* name, zeek::Connection* conn);
 	~Login_Analyzer() override;
--- a/src/analyzer/protocol/login/NVT.cc
+++ b/src/analyzer/protocol/login/NVT.cc
@ -308,7 +308,7 @@ void TelnetEnvironmentOption::RecvSubOption(u_char* data, int len)
 			break;
 			}
-		static_cast<tcp::TCP_ApplicationAnalyzer*>
+		static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>
 			(endp->Parent())->SetEnv(endp->IsOrig(),
 							var_name, var_val);
 		}
@ -381,7 +381,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */)
 NVT_Analyzer::NVT_Analyzer(zeek::Connection* conn, bool orig)
-	: tcp::ContentLine_Analyzer("NVT", conn, orig), options()
+	: zeek::analyzer::tcp::ContentLine_Analyzer("NVT", conn, orig), options()
 	{
 	}
--- a/src/analyzer/protocol/login/NVT.h
+++ b/src/analyzer/protocol/login/NVT.h
@ -122,7 +122,7 @@ protected:
 	void InconsistentOption(unsigned int type) override;
 };
-class NVT_Analyzer final : public tcp::ContentLine_Analyzer {
+class NVT_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer {
 public:
 	NVT_Analyzer(zeek::Connection* conn, bool orig);
 	~NVT_Analyzer() override;
--- a/src/analyzer/protocol/login/RSH.cc
+++ b/src/analyzer/protocol/login/RSH.cc
@ -15,7 +15,7 @@ using namespace analyzer::login;
 Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(zeek::Connection* conn, bool orig,
                                             Rsh_Analyzer* arg_analyzer)
-: tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig)
+	: zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig)
 	{
 	num_bytes_to_scan = 0;
 	analyzer = arg_analyzer;
@ -35,7 +35,7 @@ Contents_Rsh_Analyzer::~Contents_Rsh_Analyzer()
 void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
 	{
-	tcp::TCP_Analyzer* tcp = static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
+	zeek::analyzer::tcp::TCP_Analyzer* tcp = static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
 	assert(tcp);
 	int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState();
@ -49,10 +49,10 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
 		switch ( state ) {
 		case RSH_FIRST_NULL:
-			if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL ||
+			if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
 			     // We can be in closed if the data's due to
 			     // a dataful FIN being the first thing we see.
-			     endp_state == tcp::TCP_ENDPOINT_CLOSED )
+			     endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED )
 				{
 				state = RSH_UNKNOWN;
 				++len, --data;	// put back c and reprocess
--- a/src/analyzer/protocol/login/RSH.h
+++ b/src/analyzer/protocol/login/RSH.h
@ -22,7 +22,7 @@ typedef enum {
 class Rsh_Analyzer;
-class Contents_Rsh_Analyzer final : public tcp::ContentLine_Analyzer {
+class Contents_Rsh_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer {
 public:
 	Contents_Rsh_Analyzer(zeek::Connection* conn, bool orig, Rsh_Analyzer* analyzer);
 	~Contents_Rsh_Analyzer() override;
--- a/src/analyzer/protocol/login/Rlogin.cc
+++ b/src/analyzer/protocol/login/Rlogin.cc
@ -12,7 +12,7 @@
 using namespace analyzer::login;
 Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer)
-: tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig)
+	: zeek::analyzer::tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig)
 	{
 	num_bytes_to_scan = 0;
 	analyzer = arg_analyzer;
@ -30,7 +30,7 @@ Contents_Rlogin_Analyzer::~Contents_Rlogin_Analyzer()
 void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
 	{
-	tcp::TCP_Analyzer* tcp = static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
+	auto* tcp = static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
 	assert(tcp);
 	int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState();
@ -44,10 +44,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
 		switch ( state ) {
 		case RLOGIN_FIRST_NULL:
-			if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL ||
+			if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
 			     // We can be in closed if the data's due to
 			     // a dataful FIN being the first thing we see.
-			     endp_state == tcp::TCP_ENDPOINT_CLOSED )
+			     endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED )
 				{
 				state = RLOGIN_UNKNOWN;
 				++len, --data;	// put back c and reprocess
@ -89,10 +89,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
 			break;
 		case RLOGIN_SERVER_ACK:
-			if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL ||
+			if ( endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL ||
 			     // We can be in closed if the data's due to
 			     // a dataful FIN being the first thing we see.
-			     endp_state == tcp::TCP_ENDPOINT_CLOSED )
+			     endp_state == zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED )
 				{
 				state = RLOGIN_UNKNOWN;
 				++len, --data;	// put back c and reprocess
--- a/src/analyzer/protocol/login/Rlogin.h
+++ b/src/analyzer/protocol/login/Rlogin.h
@ -30,7 +30,7 @@ typedef enum {
 class Rlogin_Analyzer;
-class Contents_Rlogin_Analyzer final : public tcp::ContentLine_Analyzer {
+class Contents_Rlogin_Analyzer final : public zeek::analyzer::tcp::ContentLine_Analyzer {
 public:
 	Contents_Rlogin_Analyzer(zeek::Connection* conn, bool orig,
 	                         Rlogin_Analyzer* analyzer);
--- a/src/analyzer/protocol/modbus/Modbus.h
+++ b/src/analyzer/protocol/modbus/Modbus.h
@ -5,7 +5,7 @@
 namespace analyzer { namespace modbus {
-class ModbusTCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+class ModbusTCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit ModbusTCP_Analyzer(zeek::Connection* conn);
 	~ModbusTCP_Analyzer() override;
--- a/src/analyzer/protocol/mqtt/MQTT.cc
+++ b/src/analyzer/protocol/mqtt/MQTT.cc
@ -10,7 +10,7 @@
 using namespace analyzer::MQTT;
 MQTT_Analyzer::MQTT_Analyzer(zeek::Connection* c)
-	: tcp::TCP_ApplicationAnalyzer("MQTT", c)
+	: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MQTT", c)
 	{
 	interp = new binpac::MQTT::MQTT_Conn(this);
 	}
@ -22,7 +22,7 @@ MQTT_Analyzer::~MQTT_Analyzer()
 void MQTT_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -30,13 +30,13 @@ void MQTT_Analyzer::Done()
 void MQTT_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
@ -52,6 +52,6 @@ void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void MQTT_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	interp->NewGap(orig, len);
 	}
--- a/src/analyzer/protocol/mqtt/MQTT.h
+++ b/src/analyzer/protocol/mqtt/MQTT.h
@ -9,7 +9,7 @@ namespace binpac { namespace MQTT { class MQTT_Conn; } }
 namespace analyzer { namespace MQTT {
-class MQTT_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class MQTT_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	MQTT_Analyzer(zeek::Connection* conn);
--- a/src/analyzer/protocol/mysql/MySQL.cc
+++ b/src/analyzer/protocol/mysql/MySQL.cc
@ -8,7 +8,7 @@
 using namespace analyzer::MySQL;
 MySQL_Analyzer::MySQL_Analyzer(zeek::Connection* c)
-	: tcp::TCP_ApplicationAnalyzer("MySQL", c)
+	: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("MySQL", c)
 	{
 	interp = new binpac::MySQL::MySQL_Conn(this);
 	had_gap = false;
@ -21,7 +21,7 @@ MySQL_Analyzer::~MySQL_Analyzer()
 void MySQL_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -29,13 +29,13 @@ void MySQL_Analyzer::Done()
 void MySQL_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
 	if ( TCP()->IsPartial() )
@ -59,7 +59,7 @@ void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void MySQL_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	had_gap = true;
 	interp->NewGap(orig, len);
 	}
--- a/src/analyzer/protocol/mysql/MySQL.h
+++ b/src/analyzer/protocol/mysql/MySQL.h
@ -9,7 +9,7 @@
 namespace analyzer { namespace MySQL {
-class MySQL_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class MySQL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit MySQL_Analyzer(zeek::Connection* conn);
@ -21,7 +21,7 @@ public:
 	void DeliverStream(int len, const u_char* data, bool orig) override;
 	void Undelivered(uint64_t seq, int len, bool orig) override;
-	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;
 	static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@ -164,7 +164,7 @@ void NCP_FrameBuffer::compute_msg_length()
 	}
 Contents_NCP_Analyzer::Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, NCP_Session* arg_session)
-: tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig)
+: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig)
 	{
 	session = arg_session;
 	resync = true;
@ -177,7 +177,7 @@ Contents_NCP_Analyzer::~Contents_NCP_Analyzer()
 void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
 	auto tcp = static_cast<NCP_Analyzer*>(Parent())->TCP();
@ -185,7 +185,7 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
 		{
 		resync_set = true;
 		resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
-						tcp::TCP_ENDPOINT_ESTABLISHED;
+			zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED;
 		}
 	if ( tcp && tcp->HadGap(orig) )
@ -238,14 +238,14 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
 void Contents_NCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
 	buffer.Reset();
 	resync = true;
 	}
 NCP_Analyzer::NCP_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("NCP", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NCP", conn)
 	{
 	session = new NCP_Session(this);
 	o_ncp = new Contents_NCP_Analyzer(conn, true, session);
--- a/src/analyzer/protocol/ncp/NCP.h
+++ b/src/analyzer/protocol/ncp/NCP.h
@ -82,7 +82,7 @@ protected:
 	void compute_msg_length() override;
 };
-class Contents_NCP_Analyzer : public tcp::TCP_SupportAnalyzer {
+class Contents_NCP_Analyzer : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
 public:
 	Contents_NCP_Analyzer(zeek::Connection* conn, bool orig, NCP_Session* session);
 	~Contents_NCP_Analyzer() override;
@ -99,7 +99,7 @@ protected:
 	bool resync_set;
 };
-class NCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+class NCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit NCP_Analyzer(zeek::Connection* conn);
 	~NCP_Analyzer() override;
--- a/src/analyzer/protocol/netbios/NetbiosSSN.cc
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc
@ -334,7 +334,7 @@ void NetbiosSSN_Interpreter::Event(zeek::EventHandlerPtr event, const u_char* da
 Contents_NetbiosSSN::Contents_NetbiosSSN(zeek::Connection* conn, bool orig,
                                         NetbiosSSN_Interpreter* arg_interp)
-: tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig)
+: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig)
 	{
 	interp = arg_interp;
 	type = flags = msg_size = 0;
@ -365,7 +365,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
 void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
 	{
-	tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
 	if ( state == NETBIOS_SSN_TYPE )
 		{
@ -454,7 +454,7 @@ void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
 	}
 NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn)
 	{
 	//smb_session = new SMB_Session(this);
 	interp = new NetbiosSSN_Interpreter(this);
@ -484,7 +484,7 @@ NetbiosSSN_Analyzer::~NetbiosSSN_Analyzer()
 void NetbiosSSN_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->Timeout();
 	if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done )
@ -495,15 +495,15 @@ void NetbiosSSN_Analyzer::Done()
 void NetbiosSSN_Analyzer::EndpointEOF(bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
 	(orig ? orig_netbios : resp_netbios)->Flush();
 	}
-void NetbiosSSN_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint,
+void NetbiosSSN_Analyzer::ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint,
-				tcp::TCP_Endpoint* peer, bool gen_event)
+                                           zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event)
 	{
-	tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
 	// Question: Why do we flush *both* endpoints upon connection close?
 	// orig_netbios->Flush();
@ -513,7 +513,7 @@ void NetbiosSSN_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint,
 void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 					uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 	if ( orig )
 		interp->ParseMessageUDP(data, len, true);
--- a/src/analyzer/protocol/netbios/NetbiosSSN.h
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.h
@ -112,7 +112,7 @@ typedef enum {
 } NetbiosSSN_State;
 // ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS.
-class Contents_NetbiosSSN final : public tcp::TCP_SupportAnalyzer {
+class Contents_NetbiosSSN final : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
 public:
 	Contents_NetbiosSSN(zeek::Connection* conn, bool orig,
 				NetbiosSSN_Interpreter* interp);
@ -139,7 +139,7 @@ protected:
 	NetbiosSSN_State state;
 };
-class NetbiosSSN_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class NetbiosSSN_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit NetbiosSSN_Analyzer(zeek::Connection* conn);
 	~NetbiosSSN_Analyzer() override;
@ -152,8 +152,8 @@ public:
 		{ return new NetbiosSSN_Analyzer(conn); }
 protected:
-	void ConnectionClosed(tcp::TCP_Endpoint* endpoint,
+	void ConnectionClosed(zeek::analyzer::tcp::TCP_Endpoint* endpoint,
-					tcp::TCP_Endpoint* peer, bool gen_event) override;
+	                      zeek::analyzer::tcp::TCP_Endpoint* peer, bool gen_event) override;
 	void EndpointEOF(bool is_orig) override;
 	void ExpireTimer(double t);
--- a/src/analyzer/protocol/ntlm/NTLM.cc
+++ b/src/analyzer/protocol/ntlm/NTLM.cc
@ -8,7 +8,7 @@
 using namespace analyzer::ntlm;
 NTLM_Analyzer::NTLM_Analyzer(zeek::Connection* c)
-	: tcp::TCP_ApplicationAnalyzer("NTLM", c)
+	: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("NTLM", c)
 	{
 	interp = new binpac::NTLM::NTLM_Conn(this);
 	}
@ -20,7 +20,7 @@ NTLM_Analyzer::~NTLM_Analyzer()
 void NTLM_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -28,13 +28,13 @@ void NTLM_Analyzer::Done()
 void NTLM_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
@ -51,6 +51,6 @@ void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void NTLM_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	interp->NewGap(orig, len);
 	}
--- a/src/analyzer/protocol/ntlm/NTLM.h
+++ b/src/analyzer/protocol/ntlm/NTLM.h
@ -9,7 +9,7 @@
 namespace analyzer { namespace ntlm {
-class NTLM_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class NTLM_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit NTLM_Analyzer(zeek::Connection* conn);
@ -21,7 +21,7 @@ public:
 	void DeliverStream(int len, const u_char* data, bool orig) override;
 	void Undelivered(uint64_t seq, int len, bool orig) override;
-	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;
 	static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@ -8,7 +8,7 @@
 #include "analyzer/protocol/tcp/TCP_Flags.h"
 #include "analyzer/protocol/tcp/TCP_Reassembler.h"
-using namespace analyzer::pia;
+namespace zeek::analyzer::pia {
 PIA::PIA(zeek::analyzer::Analyzer* arg_as_analyzer)
 	: state(INIT), as_analyzer(arg_as_analyzer), conn(), current_packet()
@ -193,7 +193,7 @@ PIA_TCP::~PIA_TCP()
 void PIA_TCP::Init()
 	{
-	tcp::TCP_ApplicationAnalyzer::Init();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Init();
 	if ( Parent()->IsAnalyzer("TCP") )
 		{
@ -253,7 +253,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
 void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
 	if ( stream_buffer.state == SKIPPING )
 		return;
@ -283,7 +283,7 @@ void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig)
 void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
 	if ( stream_buffer.state == BUFFERING )
 		// We use data=nil to mark an undelivered.
@ -435,3 +435,5 @@ void PIA_TCP::ReplayStreamBuffer(zeek::analyzer::Analyzer* analyzer)
 			analyzer->NextUndelivered(b->seq, b->len, b->is_orig);
 		}
 	}
 } // namespace zeek::analyzer::pia
--- a/src/analyzer/protocol/pia/PIA.h
+++ b/src/analyzer/protocol/pia/PIA.h
@ -8,7 +8,7 @@
 ZEEK_FORWARD_DECLARE_NAMESPACED(RuleEndpointState, zeek::detail);
-namespace analyzer { namespace pia {
+namespace zeek::analyzer::pia {
 // Abstract PIA class providing common functionality for both TCP and UDP.
 // Accepts only packet input.
@ -118,10 +118,10 @@ protected:
 // PIA for TCP.  Accepts both packet and stream input (and reassembles
 // packets before passing payload on to children).
-class PIA_TCP : public PIA, public tcp::TCP_ApplicationAnalyzer {
+class PIA_TCP : public PIA, public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit PIA_TCP(zeek::Connection* conn)
-		: PIA(this), tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn)
+		: PIA(this), zeek::analyzer::tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn)
 		{ stream_mode = false; SetConn(conn); }
 	~PIA_TCP() override;
@ -172,4 +172,10 @@ private:
 	bool stream_mode;
 };
-} } // namespace analyzer::*
+} // namespace zeek::analyzer::pia
 namespace analzyer::pia {
 	using PIA [[deprecated("Remove in v4.1. Use zeek::analyzer::pia::PIA.")]] = zeek::analyzer::pia::PIA;
 	using PIA_TCP [[deprecated("Remove in v4.1. Use zeek::analyzer::pia::PIA_TCP.")]] = zeek::analyzer::pia::PIA_TCP;
 	using PIA_UDP [[deprecated("Remove in v4.1. Use zeek::analyzer::pia::PIA_UDP.")]] = zeek::analyzer::pia::PIA_UDP;
 }
--- a/src/analyzer/protocol/pia/Plugin.cc
+++ b/src/analyzer/protocol/pia/Plugin.cc
@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure() override
 		{
-		AddComponent(new zeek::analyzer::Component("PIA_TCP", ::analyzer::pia::PIA_TCP::Instantiate));
+		AddComponent(new zeek::analyzer::Component("PIA_TCP", zeek::analyzer::pia::PIA_TCP::Instantiate));
-		AddComponent(new zeek::analyzer::Component("PIA_UDP", ::analyzer::pia::PIA_UDP::Instantiate));
+		AddComponent(new zeek::analyzer::Component("PIA_UDP", zeek::analyzer::pia::PIA_UDP::Instantiate));
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::PIA";
--- a/src/analyzer/protocol/pop3/POP3.cc
+++ b/src/analyzer/protocol/pop3/POP3.cc
@ -27,7 +27,7 @@ static const char* pop3_cmd_word[] = {
 POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("POP3", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("POP3", conn)
 	{
 	masterState = POP3_START;
 	subState = POP3_WOK;
@ -45,10 +45,10 @@ POP3_Analyzer::POP3_Analyzer(zeek::Connection* conn)
 	mail = nullptr;
-	cl_orig = new tcp::ContentLine_Analyzer(conn, true);
+	cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true);
 	AddSupportAnalyzer(cl_orig);
-	cl_resp = new tcp::ContentLine_Analyzer(conn, false);
+	cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false);
 	AddSupportAnalyzer(cl_resp);
 	}
@ -58,7 +58,7 @@ POP3_Analyzer::~POP3_Analyzer()
 void POP3_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	if ( mail )
 		EndData();
@ -67,7 +67,7 @@ void POP3_Analyzer::Done()
 void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	if ( tls )
 		{
--- a/src/analyzer/protocol/pop3/POP3.h
+++ b/src/analyzer/protocol/pop3/POP3.h
@ -61,7 +61,7 @@ typedef enum {
 	POP3_WOK,
 } POP3_SubState;
-class POP3_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class POP3_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit POP3_Analyzer(zeek::Connection* conn);
 	~POP3_Analyzer() override;
@ -110,8 +110,8 @@ protected:
 private:
 	bool tls;
-	tcp::ContentLine_Analyzer* cl_orig;
+	zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig;
-	tcp::ContentLine_Analyzer* cl_resp;
+	zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp;
 };
 } } // namespace analyzer::*
--- a/src/analyzer/protocol/rdp/RDP.cc
+++ b/src/analyzer/protocol/rdp/RDP.cc
@ -7,7 +7,7 @@
 using namespace analyzer::rdp;
 RDP_Analyzer::RDP_Analyzer(zeek::Connection* c)
-	: tcp::TCP_ApplicationAnalyzer("RDP", c)
+	: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RDP", c)
 	{
 	interp = new binpac::RDP::RDP_Conn(this);
@ -22,7 +22,7 @@ RDP_Analyzer::~RDP_Analyzer()
 void RDP_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -30,13 +30,13 @@ void RDP_Analyzer::Done()
 void RDP_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
 	if ( TCP()->IsPartial() )
@ -56,7 +56,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 			{
 			if ( ! pia )
 				{
-				pia = new pia::PIA_TCP(Conn());
+				pia = new zeek::analyzer::pia::PIA_TCP(Conn());
 				if ( ! AddChildAnalyzer(pia) )
 					{
@ -95,7 +95,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void RDP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	had_gap = true;
 	interp->NewGap(orig, len);
 	}
--- a/src/analyzer/protocol/rdp/RDP.h
+++ b/src/analyzer/protocol/rdp/RDP.h
@ -7,7 +7,7 @@
 namespace analyzer { namespace rdp {
-class RDP_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class RDP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit RDP_Analyzer(zeek::Connection* conn);
@ -26,7 +26,7 @@ protected:
 	binpac::RDP::RDP_Conn* interp;
 	bool had_gap;
-	pia::PIA_TCP *pia;
+	zeek::analyzer::pia::PIA_TCP *pia;
 };
 } } // namespace analyzer::*
--- a/src/analyzer/protocol/rfb/RFB.cc
+++ b/src/analyzer/protocol/rfb/RFB.cc
@ -10,7 +10,7 @@ using namespace analyzer::rfb;
 RFB_Analyzer::RFB_Analyzer(zeek::Connection* c)
-: tcp::TCP_ApplicationAnalyzer("RFB", c)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("RFB", c)
 	{
 	interp = new binpac::RFB::RFB_Conn(this);
@ -25,7 +25,7 @@ RFB_Analyzer::~RFB_Analyzer()
 void RFB_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -34,13 +34,13 @@ void RFB_Analyzer::Done()
 void RFB_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
 	if ( TCP()->IsPartial() )
 		return;
@ -72,7 +72,7 @@ void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void RFB_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	had_gap = true;
 	interp->NewGap(orig, len);
 	}
--- a/src/analyzer/protocol/rfb/RFB.h
+++ b/src/analyzer/protocol/rfb/RFB.h
@ -9,7 +9,7 @@
 namespace analyzer { namespace rfb {
-class RFB_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class RFB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit RFB_Analyzer(zeek::Connection* conn);
@ -21,7 +21,7 @@ public:
 	void DeliverStream(int len, const u_char* data, bool orig) override;
 	void Undelivered(uint64_t seq, int len, bool orig) override;
-	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;
 	static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn)
--- a/src/analyzer/protocol/rpc/RPC.cc
+++ b/src/analyzer/protocol/rpc/RPC.cc
@ -414,7 +414,7 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len)
 Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig,
                           RPC_Interpreter* arg_interp)
-	: tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig)
+	: zeek::analyzer::tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig)
 	{
 	interp = arg_interp;
 	state = WAIT_FOR_MESSAGE;
@ -426,7 +426,7 @@ Contents_RPC::Contents_RPC(zeek::Connection* conn, bool orig,
 void Contents_RPC::Init()
 	{
-	tcp::TCP_SupportAnalyzer::Init();
+	zeek::analyzer::tcp::TCP_SupportAnalyzer::Init();
 	}
 Contents_RPC::~Contents_RPC()
@ -435,7 +435,7 @@ Contents_RPC::~Contents_RPC()
 void Contents_RPC::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
 	NeedResync();
 	}
@ -454,12 +454,12 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
 		// is fully established we are in sync (since it's the first chunk
 		// of data after the SYN if its not established we need to
 		// resync.
-		tcp::TCP_Analyzer* tcp =
+		zeek::analyzer::tcp::TCP_Analyzer* tcp =
-			static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
+			static_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
 		assert(tcp);
 		if ( (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
-							tcp::TCP_ENDPOINT_ESTABLISHED )
+							zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED )
 			{
 			NeedResync();
 			}
@ -621,7 +621,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig)
 void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
 	uint32_t marker;
 	bool last_frag;
@ -722,7 +722,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
 RPC_Analyzer::RPC_Analyzer(const char* name, zeek::Connection* conn,
                           RPC_Interpreter* arg_interp)
-	: tcp::TCP_ApplicationAnalyzer(name, conn),
+	: zeek::analyzer::tcp::TCP_ApplicationAnalyzer(name, conn),
 	  interp(arg_interp), orig_rpc(), resp_rpc()
 	{
 	if ( Conn()->ConnTransport() == TRANSPORT_UDP )
@ -739,7 +739,7 @@ RPC_Analyzer::~RPC_Analyzer()
 void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 					uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 	len = std::min(len, caplen);
 	if ( orig )
@ -756,7 +756,7 @@ void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 void RPC_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->Timeout();
 	}
--- a/src/analyzer/protocol/rpc/RPC.h
+++ b/src/analyzer/protocol/rpc/RPC.h
@ -184,7 +184,7 @@ protected:
 };
 /* Support Analyzer for reassembling RPC-over-TCP messages */
-class Contents_RPC final : public tcp::TCP_SupportAnalyzer {
+class Contents_RPC final : public zeek::analyzer::tcp::TCP_SupportAnalyzer {
 public:
 	Contents_RPC(zeek::Connection* conn, bool orig, RPC_Interpreter* interp);
 	~Contents_RPC() override;
@ -230,7 +230,7 @@ protected:
 	int resync_toskip;
 };
-class RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+class RPC_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	RPC_Analyzer(const char* name, zeek::Connection* conn,
 			RPC_Interpreter* arg_interp);
--- a/src/analyzer/protocol/sip/SIP_TCP.cc
+++ b/src/analyzer/protocol/sip/SIP_TCP.cc
@ -10,7 +10,7 @@
 using namespace analyzer::sip_tcp;
 SIP_Analyzer::SIP_Analyzer(zeek::Connection* conn)
-	: tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn)
+	: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SIP_TCP", conn)
 	{
 	interp = new binpac::SIP_TCP::SIP_Conn(this);
 	had_gap = false;
@ -23,7 +23,7 @@ SIP_Analyzer::~SIP_Analyzer()
 void SIP_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -31,13 +31,13 @@ void SIP_Analyzer::Done()
 void SIP_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
 	if ( TCP()->IsPartial() )
@ -61,7 +61,7 @@ void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void SIP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	had_gap = true;
 	interp->NewGap(orig, len);
 	}
--- a/src/analyzer/protocol/sip/SIP_TCP.h
+++ b/src/analyzer/protocol/sip/SIP_TCP.h
@ -11,7 +11,7 @@
 namespace analyzer { namespace sip_tcp {
-class SIP_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class SIP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit SIP_Analyzer(zeek::Connection* conn);
 	~SIP_Analyzer() override;
@ -20,7 +20,7 @@ public:
 	void DeliverStream(int len, const u_char* data, bool orig) override;
 	void Undelivered(uint64_t seq, int len, bool orig) override;
-	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;
 	static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
--- a/src/analyzer/protocol/smb/SMB.cc
+++ b/src/analyzer/protocol/smb/SMB.cc
@ -7,7 +7,7 @@ using namespace analyzer::smb;
 #define SMB_MAX_LEN (1<<18)
 SMB_Analyzer::SMB_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("SMB", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMB", conn)
 	{
 	chunks=0;
 	interp = new binpac::SMB::SMB_Conn(this);
--- a/src/analyzer/protocol/smb/SMB.h
+++ b/src/analyzer/protocol/smb/SMB.h
@ -5,7 +5,7 @@
 namespace analyzer { namespace smb {
-class SMB_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class SMB_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit SMB_Analyzer(zeek::Connection* conn);
 	~SMB_Analyzer() override;
--- a/src/analyzer/protocol/smtp/SMTP.cc
+++ b/src/analyzer/protocol/smtp/SMTP.cc
@ -27,7 +27,7 @@ static const char* unknown_cmd = "(UNKNOWN)";
 SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("SMTP", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SMTP", conn)
 	{
 	expect_sender = false;
 	expect_recver = true;
@ -46,12 +46,12 @@ SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn)
 	line_after_gap = nullptr;
 	mail = nullptr;
 	UpdateState(first_cmd, 0, true);
-	cl_orig = new tcp::ContentLine_Analyzer(conn, true);
+	cl_orig = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, true);
 	cl_orig->SetIsNULSensitive(true);
 	cl_orig->SetSkipPartial(true);
 	AddSupportAnalyzer(cl_orig);
-	cl_resp = new tcp::ContentLine_Analyzer(conn, false);
+	cl_resp = new zeek::analyzer::tcp::ContentLine_Analyzer(conn, false);
 	cl_resp->SetIsNULSensitive(true);
 	cl_resp->SetSkipPartial(true);
 	AddSupportAnalyzer(cl_resp);
@ -59,7 +59,7 @@ SMTP_Analyzer::SMTP_Analyzer(zeek::Connection* conn)
 void SMTP_Analyzer::ConnectionFinished(bool half_finished)
 	{
-	tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
 	if ( ! half_finished && mail )
 		EndData();
@ -72,7 +72,7 @@ SMTP_Analyzer::~SMTP_Analyzer()
 void SMTP_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	if ( mail )
 		EndData();
@ -80,7 +80,7 @@ void SMTP_Analyzer::Done()
 void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
 	if ( len <= 0 )
 		return;
@ -118,7 +118,7 @@ void SMTP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig)
 void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
 	// If an TLS transaction has been initiated, forward to child and abort.
 	if ( state == SMTP_IN_TLS )
--- a/src/analyzer/protocol/smtp/SMTP.h
+++ b/src/analyzer/protocol/smtp/SMTP.h
@ -35,7 +35,7 @@ typedef enum {
 } SMTP_State;
-class SMTP_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class SMTP_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit SMTP_Analyzer(zeek::Connection* conn);
 	~SMTP_Analyzer() override;
@ -90,8 +90,8 @@ protected:
 	mime::MIME_Mail* mail;
 private:
-	tcp::ContentLine_Analyzer* cl_orig;
+	zeek::analyzer::tcp::ContentLine_Analyzer* cl_orig;
-	tcp::ContentLine_Analyzer* cl_resp;
+	zeek::analyzer::tcp::ContentLine_Analyzer* cl_resp;
 };
 } } // namespace analyzer::*
--- a/src/analyzer/protocol/socks/SOCKS.cc
+++ b/src/analyzer/protocol/socks/SOCKS.cc
@ -7,7 +7,7 @@
 using namespace analyzer::socks;
 SOCKS_Analyzer::SOCKS_Analyzer(zeek::Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("SOCKS", conn)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SOCKS", conn)
 	{
 	interp = new binpac::SOCKS::SOCKS_Conn(this);
 	orig_done = resp_done = false;
@ -29,7 +29,7 @@ void SOCKS_Analyzer::EndpointDone(bool orig)
 void SOCKS_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -37,13 +37,13 @@ void SOCKS_Analyzer::Done()
 void SOCKS_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
@ -60,7 +60,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		// are done with their part of the SOCKS protocol.
 		if ( ! pia )
 			{
-			pia = new pia::PIA_TCP(Conn());
+			pia = new zeek::analyzer::pia::PIA_TCP(Conn());
 			if ( AddChildAnalyzer(pia) )
 				{
 				pia->FirstPacket(true, nullptr);
@ -87,6 +87,6 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void SOCKS_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	interp->NewGap(orig, len);
 	}
--- a/src/analyzer/protocol/socks/SOCKS.h
+++ b/src/analyzer/protocol/socks/SOCKS.h
@ -13,7 +13,7 @@ namespace binpac  {
 namespace analyzer { namespace socks {
-class SOCKS_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class SOCKS_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit SOCKS_Analyzer(zeek::Connection* conn);
 	~SOCKS_Analyzer() override;
@ -33,7 +33,7 @@ protected:
 	bool orig_done;
 	bool resp_done;
-	pia::PIA_TCP *pia;
+	zeek::analyzer::pia::PIA_TCP *pia;
 	binpac::SOCKS::SOCKS_Conn* interp;
 };
--- a/src/analyzer/protocol/ssh/SSH.cc
+++ b/src/analyzer/protocol/ssh/SSH.cc
@ -12,7 +12,7 @@
 using namespace analyzer::SSH;
 SSH_Analyzer::SSH_Analyzer(zeek::Connection* c)
-	: tcp::TCP_ApplicationAnalyzer("SSH", c)
+	: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SSH", c)
 	{
 	interp = new binpac::SSH::SSH_Conn(this);
 	had_gap = false;
@ -30,7 +30,7 @@ SSH_Analyzer::~SSH_Analyzer()
 void SSH_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -38,13 +38,13 @@ void SSH_Analyzer::Done()
 void SSH_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
 	if ( TCP()->IsPartial() )
@ -83,7 +83,7 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void SSH_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	had_gap = true;
 	interp->NewGap(orig, len);
 	}
--- a/src/analyzer/protocol/ssh/SSH.h
+++ b/src/analyzer/protocol/ssh/SSH.h
@ -9,7 +9,7 @@
 namespace analyzer {
 	namespace SSH {
-		class SSH_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+		class SSH_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 		public:
 			explicit SSH_Analyzer(zeek::Connection* conn);
@ -20,7 +20,7 @@ namespace analyzer {
 			void DeliverStream(int len, const u_char* data, bool orig) override;
 			void Undelivered(uint64_t seq, int len, bool orig) override;
-			// Overriden from tcp::TCP_ApplicationAnalyzer.
+			// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
 			void EndpointEOF(bool is_orig) override;
 			static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
--- a/src/analyzer/protocol/ssl/SSL.cc
+++ b/src/analyzer/protocol/ssl/SSL.cc
@ -11,7 +11,7 @@
 using namespace analyzer::ssl;
 SSL_Analyzer::SSL_Analyzer(zeek::Connection* c)
-: tcp::TCP_ApplicationAnalyzer("SSL", c)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("SSL", c)
 	{
 	interp = new binpac::SSL::SSL_Conn(this);
 	handshake_interp = new binpac::TLSHandshake::Handshake_Conn(this);
@ -26,7 +26,7 @@ SSL_Analyzer::~SSL_Analyzer()
 void SSL_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@ -36,7 +36,7 @@ void SSL_Analyzer::Done()
 void SSL_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	handshake_interp->FlowEOF(is_orig);
 	}
@ -50,7 +50,7 @@ void SSL_Analyzer::StartEncryption()
 void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 	assert(TCP());
 	if ( TCP()->IsPartial() )
@ -86,7 +86,7 @@ void SSL_Analyzer::SendHandshake(uint16_t raw_tls_version, const u_char* begin,
 void SSL_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	had_gap = true;
 	interp->NewGap(orig, len);
 	}
--- a/src/analyzer/protocol/ssl/SSL.h
+++ b/src/analyzer/protocol/ssl/SSL.h
@ -10,7 +10,7 @@ namespace binpac { namespace TLSHandshake { class Handshake_Conn; } }
 namespace analyzer { namespace ssl {
-class SSL_Analyzer final : public tcp::TCP_ApplicationAnalyzer {
+class SSL_Analyzer final : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit SSL_Analyzer(zeek::Connection* conn);
 	~SSL_Analyzer() override;
@ -25,7 +25,7 @@ public:
 	// Tell the analyzer that encryption has started.
 	void StartEncryption();
-	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	// Overriden from zeek::analyzer::tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;
 	static zeek::analyzer::Analyzer* Instantiate(zeek::Connection* conn)
--- a/src/analyzer/protocol/stepping-stone/Plugin.cc
+++ b/src/analyzer/protocol/stepping-stone/Plugin.cc
@ -11,7 +11,7 @@ class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure() override
 		{
-		AddComponent(new zeek::analyzer::Component("SteppingStone", ::analyzer::stepping_stone::SteppingStone_Analyzer::Instantiate));
+		AddComponent(new zeek::analyzer::Component("SteppingStone", zeek::analyzer::stepping_stone::SteppingStone_Analyzer::Instantiate));
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::SteppingStone";
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
@ -13,9 +13,9 @@
 #include "util.h"
 #include "events.bif.h"
-using namespace analyzer::stepping_stone;
+namespace zeek::analyzer::stepping_stone {
-SteppingStoneEndpoint::SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m)
+SteppingStoneEndpoint::SteppingStoneEndpoint(zeek::analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m)
 	{
 	endp = e;
 	stp_max_top_seq = 0;
@ -61,8 +61,8 @@ void SteppingStoneEndpoint::Done()
 	}
 bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen,
-		const u_char* data, const zeek::IP_Hdr* /* ip */,
+                                     const u_char* data, const zeek::IP_Hdr* /* ip */,
-		const struct tcphdr* tp)
+                                     const struct tcphdr* tp)
 	{
 	if ( caplen < len )
 		len = caplen;
@ -153,7 +153,7 @@ void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig)
 	}
 SteppingStone_Analyzer::SteppingStone_Analyzer(zeek::Connection* c)
-: tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c)
+	: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c)
 	{
 	stp_manager = zeek::sessions->GetSTPManager();
@ -163,7 +163,7 @@ SteppingStone_Analyzer::SteppingStone_Analyzer(zeek::Connection* c)
 void SteppingStone_Analyzer::Init()
 	{
-	tcp::TCP_ApplicationAnalyzer::Init();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Init();
 	assert(TCP());
 	orig_endp = new SteppingStoneEndpoint(TCP()->Orig(), stp_manager);
@ -171,11 +171,11 @@ void SteppingStone_Analyzer::Init()
 	}
 void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data,
-						bool is_orig, uint64_t seq,
+                                           bool is_orig, uint64_t seq,
-						const zeek::IP_Hdr* ip, int caplen)
+                                           const zeek::IP_Hdr* ip, int caplen)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq,
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq,
-						ip, caplen);
+	                                                            ip, caplen);
 	if ( is_orig )
 		orig_endp->DataSent(network_time, seq, len, caplen, data, nullptr, nullptr);
@ -186,7 +186,7 @@ void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data,
 void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data,
 						bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
 	if ( is_orig )
 		{
@ -205,7 +205,7 @@ void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data,
 void SteppingStone_Analyzer::Done()
 	{
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 	orig_endp->Done();
 	resp_endp->Done();
@ -213,3 +213,5 @@ void SteppingStone_Analyzer::Done()
 	Unref(orig_endp);
 	Unref(resp_endp);
 	}
 } // namespace zeek::analyzer::stepping_stone
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.h
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.h
@ -7,25 +7,25 @@
 ZEEK_FORWARD_DECLARE_NAMESPACED(NetSessions, zeek);
-namespace analyzer::stepping_stone {
+namespace zeek::analyzer::stepping_stone {
 class SteppingStoneEndpoint;
 class SteppingStoneManager;
 class SteppingStoneEndpoint : public zeek::Obj {
 public:
-	SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m);
+	SteppingStoneEndpoint(zeek::analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m);
 	~SteppingStoneEndpoint() override;
 	void Done();
 	bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data,
-		     const zeek::IP_Hdr* ip, const struct tcphdr* tp);
+	              const zeek::IP_Hdr* ip, const struct tcphdr* tp);
 protected:
 	void Event(zeek::EventHandlerPtr f, int id1, int id2 = -1);
 	void CreateEndpEvent(bool is_orig);
-	tcp::TCP_Endpoint* endp;
+	zeek::analyzer::tcp::TCP_Endpoint* endp;
 	uint64_t stp_max_top_seq;
 	double stp_last_time;
 	double stp_resume_time;
@ -40,7 +40,7 @@ protected:
 	std::map<int, SteppingStoneEndpoint*> stp_outbound_endps;
 };
-class SteppingStone_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+class SteppingStone_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit SteppingStone_Analyzer(zeek::Connection* c);
 	~SteppingStone_Analyzer() override {};
@ -55,7 +55,7 @@ protected:
 	// We support both packet and stream input and can be put in place even
 	// if the TCP analyzer is not yet reassebmling.
 	void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
+	                   uint64_t seq, const zeek::IP_Hdr* ip, int caplen) override;
 	void DeliverStream(int len, const u_char* data, bool is_orig) override;
 	int orig_stream_pos;
@ -82,3 +82,9 @@ protected:
 };
 } // namespace analyzer::stepping_stone
 namespace analyzer::stepping_stone {
 	using SteppingStoneEndpoint [[deprecated("Remove in v4.1. Use zeek::analyzer::stepping_stone::SteppingStoneEndpoint.")]] = zeek::analyzer::stepping_stone::SteppingStoneEndpoint;
 	using SteppingStone_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::stepping_stone::SteppingStone_Analyzer.")]] = zeek::analyzer::stepping_stone::SteppingStone_Analyzer;
 	using SteppingStoneManager [[deprecated("Remove in v4.1. Use zeek::analyzer::stepping_stone::SteppingStoneManager.")]] = zeek::analyzer::stepping_stone::SteppingStoneManager;
 } // namespace analyzer::stepping_stone
--- a/src/analyzer/protocol/syslog/Syslog.cc
+++ b/src/analyzer/protocol/syslog/Syslog.cc
@ -50,7 +50,7 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 //	}
 //Syslog_tcp::TCP_Analyzer::Syslog_tcp::TCP_Analyzer(zeek::Connection* conn)
-//: tcp::TCP_ApplicationAnalyzer(conn)
+//: zeek::analyzer::tcp::TCP_ApplicationAnalyzer(conn)
 //	{
 //	interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this);
 //	}
@ -62,7 +62,7 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 //void Syslog_tcp::TCP_Analyzer::Done()
 //	{
-//	tcp::TCP_ApplicationAnalyzer::Done();
+//	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 //
 //	interp->FlowEOF(true);
 //	interp->FlowEOF(false);
@ -70,14 +70,14 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 //void Syslog_tcp::TCP_Analyzer::EndpointEOF(tcp::TCP_Reassembler* endp)
 //	{
-//	tcp::TCP_ApplicationAnalyzer::EndpointEOF(endp);
+//	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(endp);
 //	interp->FlowEOF(endp->IsOrig());
 //	}
 //void Syslog_tcp::TCP_Analyzer::DeliverStream(int len, const u_char* data,
 //						bool orig)
 //	{
-//	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+//	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 //
 //	assert(TCP());
 //
@ -90,6 +90,6 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 //void Syslog_tcp::TCP_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 //	{
-//	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+//	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 //	interp->NewGap(orig, len);
 //	}
--- a/src/analyzer/protocol/syslog/Syslog.h
+++ b/src/analyzer/protocol/syslog/Syslog.h
@ -28,7 +28,7 @@ protected:
 // #include "Syslog_tcp_pac.h"
 //
-//class Syslog_tcp::TCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+//class Syslog_tcp::TCP_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer {
 //public:
 //	Syslog_tcp::TCP_Analyzer(zeek::Connection* conn);
 //	virtual ~Syslog_tcp::TCP_Analyzer();
--- a/src/analyzer/protocol/tcp/ContentLine.cc
+++ b/src/analyzer/protocol/tcp/ContentLine.cc
@ -4,7 +4,7 @@
 #include "events.bif.h"
-using namespace analyzer::tcp;
+namespace zeek::analyzer::tcp {
 ContentLine_Analyzer::ContentLine_Analyzer(zeek::Connection* conn, bool orig, int max_line_length)
 : TCP_SupportAnalyzer("CONTENTLINE", conn, orig), max_line_length(max_line_length)
@ -338,3 +338,5 @@ void ContentLine_Analyzer::SkipBytes(int64_t length)
 	skip_pending = 0;
 	seq_to_skip = SeqDelivered() + length;
 	}
 } // namespace zeek::analyzer::tcp
--- a/src/analyzer/protocol/tcp/ContentLine.h
+++ b/src/analyzer/protocol/tcp/ContentLine.h
@ -4,13 +4,13 @@
 #include "analyzer/protocol/tcp/TCP.h"
-namespace analyzer { namespace tcp {
+namespace zeek::analyzer::tcp {
 #define CR_as_EOL 1
 #define LF_as_EOL 2
 // Slightly smaller than 16MB so that the buffer is not unnecessarily resized to 32M.
-#define DEFAULT_MAX_LINE_LENGTH 16 * 1024 * 1024 - 100
+constexpr auto DEFAULT_MAX_LINE_LENGTH = 16 * 1024 * 1024 - 100;
 class ContentLine_Analyzer : public TCP_SupportAnalyzer {
 public:
@ -114,4 +114,8 @@ protected:
 	bool skip_partial;
 };
-} } // namespace analyzer::*
+} // namespace zeek::analyzer::tcp
 namespace analyzer::tcp {
 	using ContentLine_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::ContentLine_Analyzer.")]] = zeek::analyzer::tcp::ContentLine_Analyzer;
 }
--- a/src/analyzer/protocol/tcp/Plugin.cc
+++ b/src/analyzer/protocol/tcp/Plugin.cc
@ -11,8 +11,8 @@ class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure() override
 		{
-		AddComponent(new zeek::analyzer::Component("TCP", ::analyzer::tcp::TCP_Analyzer::Instantiate));
+		AddComponent(new zeek::analyzer::Component("TCP", zeek::analyzer::tcp::TCP_Analyzer::Instantiate));
-		AddComponent(new zeek::analyzer::Component("TCPStats", ::analyzer::tcp::TCPStats_Analyzer::Instantiate));
+		AddComponent(new zeek::analyzer::Component("TCPStats", zeek::analyzer::tcp::TCPStats_Analyzer::Instantiate));
 		AddComponent(new zeek::analyzer::Component("CONTENTLINE", nullptr));
 		AddComponent(new zeek::analyzer::Component("Contents", nullptr));
--- a/src/analyzer/protocol/tcp/Stats.cc
+++ b/src/analyzer/protocol/tcp/Stats.cc
@ -4,7 +4,7 @@
 #include "events.bif.h"
-using namespace analyzer::tcp;
+namespace zeek::analyzer::tcp {
 TCPStateStats::TCPStateStats()
 	{
@ -81,3 +81,5 @@ void TCPStateStats::PrintStats(zeek::File* file, const char* prefix)
 		file->Write("\n");
 		}
 	}
 } // namespace zeek::analyzer::tcp
--- a/src/analyzer/protocol/tcp/Stats.h
+++ b/src/analyzer/protocol/tcp/Stats.h
@ -3,7 +3,7 @@
 #include "TCP_Endpoint.h"
-namespace analyzer { namespace tcp {
+namespace zeek::analyzer::tcp {
 // A TCPStateStats object tracks the distribution of TCP states for
 // the currently active connections.
@ -65,4 +65,8 @@ private:
 	unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1];
 };
-} } // namespace analyzer::*
+} // namespace zeek::analyzer::tcp
 namespace analyzer::tcp {
 	using TCPStateStats [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCPStateStats.")]] = zeek::analyzer::tcp::TCPStateStats;
 }
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@ -19,13 +19,13 @@
 #include "events.bif.h"
 #include "types.bif.h"
 using namespace analyzer::tcp;
 namespace { // local namespace
 	const bool DEBUG_tcp_data_sent = false;
 	const bool DEBUG_tcp_connection_close = false;
 }
 namespace zeek::analyzer::tcp {
 // The following are not included in all systems' tcp.h.
 #ifndef TH_ECE
@ -36,7 +36,6 @@ namespace { // local namespace
 #define TH_CWR  0x80
 #endif
 #define TOO_LARGE_SEQ_DELTA 1048576
 static const int ORIG = 1;
@ -822,7 +821,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
 	{
 	if ( is_orig && ! (first_packet_seen & ORIG) )
 		{
-		pia::PIA_TCP* pia = static_cast<pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
+		auto* pia = static_cast<zeek::analyzer::pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
 		if ( pia )
 			pia->FirstPacket(is_orig, ip);
 		first_packet_seen |= ORIG;
@ -830,7 +829,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
 	if ( ! is_orig && ! (first_packet_seen & RESP) )
 		{
-		pia::PIA_TCP* pia = static_cast<pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
+		auto* pia = static_cast<zeek::analyzer::pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
 		if ( pia )
 			pia->FirstPacket(is_orig, ip);
 		first_packet_seen |= RESP;
@ -838,8 +837,8 @@ void TCP_Analyzer::CheckPIA_FirstPacket(bool is_orig, const zeek::IP_Hdr* ip)
 	}
 uint64_t TCP_Analyzer::get_relative_seq(const TCP_Endpoint* endpoint,
-                                      uint32_t cur_base, uint32_t last,
+                                        uint32_t cur_base, uint32_t last,
-                                      uint32_t wraps, bool* underflow)
+                                        uint32_t wraps, bool* underflow)
 	{
 	int32_t delta = seq_delta(cur_base, last);
@ -2133,3 +2132,5 @@ void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 	else
 		resp_stats->DataSent(network_time, seq, len, caplen, data, ip, nullptr);
 	}
 } // namespace zeek::analyzer::tcp
--- a/src/analyzer/protocol/tcp/TCP.h
+++ b/src/analyzer/protocol/tcp/TCP.h
@ -13,13 +13,13 @@
 // - TCP_ApplicationAnalyzer is an abstract base class for analyzers for a
 //   protocol running on top of TCP.
 //
 namespace analyzer { namespace pia { class PIA_TCP; } };
-namespace analyzer { namespace tcp {
+ZEEK_FORWARD_DECLARE_NAMESPACED(PIA_TCP, zeek, analyzer::pia);
 ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Endpoint, zeek, analyzer::tcp);
 ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Reassembler, zeek, analyzer::tcp);
 ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_ApplicationAnalyzer, zeek, analyzer::tcp);
-class TCP_Endpoint;
+namespace zeek::analyzer::tcp {
 class TCP_ApplicationAnalyzer;
 class TCP_Reassembler;
 class TCP_Analyzer final : public zeek::analyzer::TransportLayerAnalyzer {
 public:
@ -74,7 +74,7 @@ public:
 protected:
 	friend class TCP_ApplicationAnalyzer;
 	friend class TCP_Reassembler;
-	friend class analyzer::pia::PIA_TCP;
+	friend class zeek::analyzer::pia::PIA_TCP;
 	// Analyzer interface.
 	void Init() override;
@ -302,4 +302,12 @@ protected:
 	TCPStats_Endpoint* resp_stats;
 };
-} } // namespace analyzer::*
+} // namespace zeek::analyzer::tcp
 namespace analyzer::tcp {
 	using TCP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_Analyzer.")]] = zeek::analyzer::tcp::TCP_Analyzer;
 	using TCP_ApplicationAnalyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ApplicationAnalyzer.")]] = zeek::analyzer::tcp::TCP_ApplicationAnalyzer;
 	using TCP_SupportAnalyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_SupportAnalyzer.")]] = zeek::analyzer::tcp::TCP_SupportAnalyzer;
 	using TCPStats_Endpoint [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCPStats_Endpoint.")]] = zeek::analyzer::tcp::TCPStats_Endpoint;
 	using TCPStats_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCPStats_Analyzer.")]] = zeek::analyzer::tcp::TCPStats_Analyzer;
 }
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@ -14,7 +14,7 @@
 #include "events.bif.h"
-using namespace analyzer::tcp;
+namespace zeek::analyzer::tcp {
 TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, bool arg_is_orig)
 	{
@ -319,3 +319,5 @@ void TCP_Endpoint::Gap(uint64_t seq, uint64_t len)
 					gap_cnt, gap_thresh) )
 		Conn()->HistoryThresholdEvent(tcp_multiple_gap, IsOrig(), t);
 	}
 } // namespace zeek::analyzer::tcp
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.h
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h
@ -7,13 +7,12 @@
 ZEEK_FORWARD_DECLARE_NAMESPACED(Connection, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Analyzer, zeek, analyzer::tcp);
 ZEEK_FORWARD_DECLARE_NAMESPACED(TCP_Reassembler, zeek, analyzer::tcp);
-namespace analyzer { namespace tcp {
+namespace zeek::analyzer::tcp {
-class TCP_Analyzer;
+enum EndpointState {
 class TCP_Reassembler;
 typedef enum {
 	TCP_ENDPOINT_INACTIVE,	// no SYN (or other packets) seen for this side
 	TCP_ENDPOINT_SYN_SENT,	// SYN seen, but no ack
 	TCP_ENDPOINT_SYN_ACK_SENT,	// SYN ack seen, no initial SYN
@ -22,7 +21,7 @@ typedef enum {
 					// sent by responder)
 	TCP_ENDPOINT_CLOSED,	// FIN seen
 	TCP_ENDPOINT_RESET	// RST seen
-} EndpointState;
+};
 // One endpoint of a TCP connection.
 class TCP_Endpoint {
@ -253,4 +252,19 @@ protected:
 #define ENDIAN_BIG 2
 #define ENDIAN_CONFUSED 3
-} } // namespace analyzer::*
+} // namespace zeek::analyzer::tcp
 namespace analyzer::tcp {
 	using EndpointState [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::EndpointState.")]] = zeek::analyzer::tcp::EndpointState;
 	constexpr auto TCP_ENDPOINT_INACTIVE [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_INACTIVE;
 	constexpr auto TCP_ENDPOINT_SYN_SENT [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_SYN_SENT.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_SYN_SENT;
 	constexpr auto TCP_ENDPOINT_SYN_ACK_SENT [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT;
 	constexpr auto TCP_ENDPOINT_PARTIAL [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_PARTIAL;
 	constexpr auto TCP_ENDPOINT_ESTABLISHED [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_ESTABLISHED;
 	constexpr auto TCP_ENDPOINT_CLOSED [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_CLOSED;
 	constexpr auto TCP_ENDPOINT_RESET [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_ENDPOINT_RESET.")]] = zeek::analyzer::tcp::TCP_ENDPOINT_RESET;
 	using TCP_Endpoint [[deprecated("Remove in v4.1. Use zeek::analyzer::tcp::TCP_Endpoint.")]] = zeek::analyzer::tcp::TCP_Endpoint;
 } // namespace analyzer::tcp
--- a/Show more
+++ b/Show more