First prototype of new analyzer framework.

This is a larger internal change that moves the analyzer infrastructure to a more flexible model where the available analyzers don't need to be hardcoded at compile time anymore. While currently they actually still are, this will in the future enable external analyzer plugins. For now, it does already add the capability to dynamically enable/disable analyzers from script-land, replacing the old Analyzer::Available() methods. There are three major parts going into this: - A new plugin infrastructure in src/plugin. This is independent of analyzers and will eventually support plugins for other parts of Bro as well (think: readers and writers). The goal is that plugins can be alternatively compiled in statically or loadead dynamically at runtime from a shared library. While the latter isn't there yet, there'll be almost no code change for a plugin to make it dynamic later (hopefully :) - New analyzer infrastructure in src/analyzer. I've moved a number of analyzer-related classes here, including Analyzer and DPM; the latter now renamed to Analyzer::Manager. More will move here later. Currently, there's only one plugin here, which provides *all* existing analyzers. We can modularize this further in the future (or not). - A new script interface in base/framework/analyzer. I think that this will eventually replace the dpm framework, but for now that's still there as well, though some parts have moved over. I've also remove the dpd_config table; ports are now configured via the analyzer framework. For exmaple, for SSH: const ports = { 22/tcp } &redef; event bro_init() &priority=5 { ... Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports); } As you can see, the old ANALYZER_SSH constants have more into an enum in the Analyzer namespace. This is all hardly tested right now, and not everything works yet. There's also a lot more cleanup to do (moving more classes around; removing no longer used functionality; documenting script and C++ interfaces; regression tests). But it seems to generally work with a small trace at least. The debug stream "dpm" shows more about the loaded/enabled analyzers. A new option -N lists loaded plugins and what they provide (including those compiled in statically; i.e., right now it outputs all the analyzers). This is all not cast-in-stone yet, for some things we need to see if they make sense this way. Feedback welcome.
2025-10-02 14:48:21 +00:00 · 2013-03-20 13:32:36 -07:00 · 2013-03-20 13:32:36 -07:00 · af1809aaa3
commit af1809aaa3
parent 9caf6e4884
166 changed files with 2717 additions and 1642 deletions
--- a/scripts/base/frameworks/analyzer/load.bro
+++ b/scripts/base/frameworks/analyzer/load.bro
@ -0,0 +1 @@
@load ./main
--- a/scripts/base/frameworks/analyzer/main.bro
+++ b/scripts/base/frameworks/analyzer/main.bro
@ -0,0 +1,119 @@
 module Analyzer;
 # Analyzer::Tag is defined in types.bif, and automatically extended by plugins
 # as they are loaded.
 export {
 	## XXX.
 	global enable_analyzer: function(tag: Analyzer::Tag) : bool;
 	## XXX.
 	global disable_analyzer: function(tag: Analyzer::Tag) : bool;
 	## XXX.
 	global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool;
 	## XXX.
 	global register_for_port: function(tag: Analyzer::Tag, p: port) : bool;
 	## XXX.
 	global registered_ports: function(tag: Analyzer::Tag) : set[port];
 	## Translate an analyzer type to an ASCII string.
 	##
 	## atype: The analyzer tag.
 	##
 	## Returns: The analyzer *aid* as string.
 	global name: function(atype: Analyzer::Tag) : string;
 	## Schedules an analyzer for a future connection from a given IP address and
 	## port. The function ignores the scheduling request if the connection did
 	## not occur within the specified time interval.
 	##
 	## orig: The IP address originating a connection in the future.
 	##
 	## resp: The IP address responding to a connection from *orig*.
 	##
 	## resp_p: The destination port at *resp*.
 	##
 	## analyzer: The analyzer ID.
 	##
 	## tout: The timeout interval after which to ignore the scheduling request.
 	##
 	## Returns: True if succesful.
 	global expect_connection: function(orig: addr, resp: addr, resp_p: port,
 					   analyzer: Analyzer::Tag, tout: interval) : bool;
 	## Analyzers to disable at startup.
 	global disabled_analyzers: set[Analyzer::Tag] = {
 		ANALYZER_INTERCONN,
 		ANALYZER_STEPPINGSTONE,
 		ANALYZER_BACKDOOR,
 		ANALYZER_TCPSTATS,
 	}
 	&redef;
 }
@load base/analyzer.bif
 global ports: table[Analyzer::Tag] of set[port];
 event bro_init()
 	{
 	for ( a in disabled_analyzers )
 		disable_analyzer(a);
 	}
 function enable_analyzer(tag: Analyzer::Tag) : bool
 	{
 	return __enable_analyzer(tag);
 	}
 function disable_analyzer(tag: Analyzer::Tag) : bool
 	{
 	return __disable_analyzer(tag);
 	}
 function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool
 	{
 	local rc = T;
 	for ( p in ports ) 
 		{
 		if ( ! register_for_port(tag, p) )
 			rc = F;
 		}
 	return rc;
 	}
 function register_for_port(tag: Analyzer::Tag, p: port) : bool
 	{
 	if ( ! __register_for_port(tag, p) )
 		return F;
 	if ( tag !in ports )
 		ports[tag] = set();
 	add ports[tag][p];
 	return T;
 	}
 function registered_ports(tag: Analyzer::Tag) : set[port]
 	{
 	return tag in ports ? ports[tag] : set();
 	}
 function name(atype: Analyzer::Tag) : string
 	{
 	return __name(atype);
 	}
 function expect_connection(orig: addr, resp: addr, resp_p: port,
 			   analyzer: Analyzer::Tag, tout: interval) : bool
 	{
 	return __expect_connection(orig, resp, resp_p, analyzer, tout);
 	}
--- a/scripts/base/frameworks/dpd/main.bro
+++ b/scripts/base/frameworks/dpd/main.bro
@ -41,22 +41,16 @@ redef record connection += {
 event bro_init() &priority=5
 	{
 	Log::create_stream(DPD::LOG, [$columns=Info]);
 	# Populate the internal DPD analysis variable.
 	for ( a in dpd_config )
 		{
 		for ( p in dpd_config[a]$ports )
 			{
 			if ( p !in dpd_analyzer_ports )
 				dpd_analyzer_ports[p] = set();
 			add dpd_analyzer_ports[p][a];
 			}
 		}
 	}
-event protocol_confirmation(c: connection, atype: count, aid: count) &priority=10
+function foo() : string
 	{
-	local analyzer = analyzer_name(atype);
+	return "HTTP";
 	}
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
 	{
 	local analyzer = Analyzer::name(atype);
 	if ( fmt("-%s",analyzer) in c$service )
 		delete c$service[fmt("-%s", analyzer)];
@ -64,10 +58,10 @@ event protocol_confirmation(c: connection, atype: count, aid: count) &priority=1
 	add c$service[analyzer];
 	}
-event protocol_violation(c: connection, atype: count, aid: count,
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
                         reason: string) &priority=10
 	{
-	local analyzer = analyzer_name(atype);
+	local analyzer = Analyzer::name(atype);
 	# If the service hasn't been confirmed yet, don't generate a log message
 	# for the protocol violation.
 	if ( analyzer !in c$service )
@ -86,7 +80,7 @@ event protocol_violation(c: connection, atype: count, aid: count,
 	c$dpd = info;
 	}
-event protocol_violation(c: connection, atype: count, aid: count, reason: string) &priority=5
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5
 	{
 	if ( !c?$dpd || aid in c$dpd$disabled_aids )
 		return;
@ -100,7 +94,7 @@ event protocol_violation(c: connection, atype: count, aid: count, reason: string
 	add c$dpd$disabled_aids[aid];
 	}
-event protocol_violation(c: connection, atype: count, aid: count,
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
 				reason: string) &priority=-5
 	{
 	if ( c?$dpd )
--- a/scripts/base/frameworks/tunnels/main.bro
+++ b/scripts/base/frameworks/tunnels/main.bro
@ -83,19 +83,17 @@ export {
 }
 const ayiya_ports = { 5072/udp };
 redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] };
 const teredo_ports = { 3544/udp };
 redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] };
 const gtpv1_ports = { 2152/udp, 2123/udp };
 redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1_ports] };
 redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports };
 event bro_init() &priority=5
 	{
 	Log::create_stream(Tunnel::LOG, [$columns=Info]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
 	}
 function register_all(ecv: EncapsulatingConnVector)
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -2846,34 +2846,11 @@ const remote_trace_sync_peers = 0 &redef;
 ## consistency check.
 const remote_check_sync_consistency = F &redef;
 ## Analyzer tags. The core automatically defines constants
 ## ``ANALYZER_<analyzer-name>*``, e.g., ``ANALYZER_HTTP``.
 ##
 ## .. bro:see:: dpd_config
 ##
 ## .. todo::We should autodoc these automaticallty generated constants.
 type AnalyzerTag: count;
 ## Set of ports activating a particular protocol analysis.
 ##
 ## .. bro:see:: dpd_config
 type dpd_protocol_config: record {
 	ports: set[port] &optional;	##< Set of ports.
 };
 ## Port configuration for Bro's "dynamic protocol detection". Protocol
 ## analyzers can be activated via either well-known ports or content analysis.
 ## This table defines the ports.
 ##
 ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
 ##    dpd_match_only_beginning dpd_ignore_ports
 const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef;
 ## Reassemble the beginning of all TCP connections before doing
 ## signature-matching. Enabling this provides more accurate matching at the
 ## expensive of CPU cycles.
 ##
-## .. bro:see:: dpd_config dpd_buffer_size
+## .. bro:see:: dpd_buffer_size
 ##    dpd_match_only_beginning dpd_ignore_ports
 ##
 ## .. note:: Despite the name, this option affects *all* signature matching, not
@ -2888,24 +2865,24 @@ const dpd_reassemble_first_packets = T &redef;
 ## activated afterwards. Then only analyzers that can deal with partial
 ## connections will be able to analyze the session.
 ##
-## .. bro:see:: dpd_reassemble_first_packets dpd_config dpd_match_only_beginning
+## .. bro:see:: dpd_reassemble_first_packets dpd_match_only_beginning
 ##    dpd_ignore_ports
 const dpd_buffer_size = 1024 &redef;
 ## If true, stops signature matching if dpd_buffer_size has been reached.
 ##
 ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
-##    dpd_config dpd_ignore_ports
+##    dpd_ignore_ports
 ##
 ## .. note:: Despite the name, this option affects *all* signature matching, not
 ##    only signatures used for dynamic protocol detection.
 const dpd_match_only_beginning = T &redef;
 ## If true, don't consider any ports for deciding which protocol analyzer to
-## use. If so, the value of :bro:see:`dpd_config` is ignored.
+## use. 
 ##
 ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
-##    dpd_match_only_beginning dpd_config
+##    dpd_match_only_beginning
 const dpd_ignore_ports = F &redef;
 ## Ports which the core considers being likely used by servers. For ports in
@ -2913,13 +2890,6 @@ const dpd_ignore_ports = F &redef;
 ## connection if it misses the initial handshake.
 const likely_server_ports: set[port] &redef;
 ## Deprated. Set of all ports for which we know an analyzer, built by
 ## :doc:`/scripts/base/frameworks/dpd/main`.
 ##
 ## .. todo::This should be defined by :doc:`/scripts/base/frameworks/dpd/main`
 ##    itself we still need it.
 global dpd_analyzer_ports: table[port] of set[AnalyzerTag];
 ## Per-incident timer managers are drained after this amount of inactivity.
 const timer_mgr_inactivity_timeout = 1 min &redef;
@ -3028,9 +2998,9 @@ module GLOBAL;
 ## Number of bytes per packet to capture from live interfaces.
 const snaplen = 8192 &redef;
-# Load the logging framework here because it uses fairly deep integration with
+# Load these frameworks here because it uses fairly deep integration with
 # BiFs and script-land defined types.
@load base/frameworks/logging
@load base/frameworks/input
@load base/frameworks/analyzer
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@ -20,6 +20,7 @@
 # loaded in base/init-bare.bro
 #@load base/frameworks/logging
@load base/frameworks/notice
@load base/frameworks/analyzer
@load base/frameworks/dpd
@load base/frameworks/signatures
@load base/frameworks/packet-filter
--- a/scripts/base/protocols/conn/inactivity.bro
+++ b/scripts/base/protocols/conn/inactivity.bro
@ -6,9 +6,9 @@ module Conn;
 export {
 	## Define inactivity timeouts by the service detected being used over
 	## the connection.
-	const analyzer_inactivity_timeouts: table[AnalyzerTag] of interval = {
+	const analyzer_inactivity_timeouts: table[Analyzer::Tag] of interval = {
 		# For interactive services, allow longer periods of inactivity.
-		[[ANALYZER_SSH, ANALYZER_FTP]] = 1 hrs,
+		[[Analyzer::ANALYZER_SSH, Analyzer::ANALYZER_FTP]] = 1 hrs,
 	} &redef;
 	## Define inactivity timeouts based on common protocol ports.
@ -18,7 +18,7 @@ export {
 }
-event protocol_confirmation(c: connection, atype: count, aid: count)
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
 	{
 	if ( atype in analyzer_inactivity_timeouts )
 		set_inactivity_timeout(c$id, analyzer_inactivity_timeouts[atype]);
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@ -117,19 +117,17 @@ redef capture_filters += {
 	["netbios-ns"] = "udp port 137",
 };
 const dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
 redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
 const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp };
 const dns_tcp_ports = { 53/tcp };
 redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] };
 redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] };
-redef likely_server_ports += { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
+redef likely_server_ports += { dns_udp_ports, dns_tcp_ports };
 event bro_init() &priority=5
 	{
 	Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_TCP_BINPAC, dns_tcp_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_UDP_BINPAC, dns_udp_ports);
 	}
 function new_session(c: connection, trans_id: count): Info
--- a/scripts/base/protocols/ftp/main.bro
+++ b/scripts/base/protocols/ftp/main.bro
@ -96,11 +96,10 @@ redef record connection += {
 };
 # Configure DPD
 const ports = { 21/tcp, 2811/tcp } &redef; # 2811/tcp is GridFTP.
 redef capture_filters += { ["ftp"] = "port 21 and port 2811" };
 redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] };
-redef likely_server_ports += { 21/tcp, 2811/tcp };
+const ports = { 21/tcp, 2811/tcp };
 redef likely_server_ports += { ports };
 # Establish the variable for tracking expected connections.
 global ftp_data_expected: table[addr, port] of Info &create_expire=5mins;
@ -108,6 +107,7 @@ global ftp_data_expected: table[addr, port] of Info &create_expire=5mins;
 event bro_init() &priority=5
 	{
 	Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports);
 	}
 ## A set of commands where the argument can be expected to refer
@ -228,7 +228,7 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
 			{
 			c$ftp$passive=F;
 			ftp_data_expected[data$h, data$p] = c$ftp;
-			expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins);
+			Analyzer::expect_connection(id$resp_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins);
 			}
 		else
 			{
@ -281,7 +281,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 				data$h = id$resp_h;
 			ftp_data_expected[data$h, data$p] = c$ftp;
-			expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins);
+			Analyzer::expect_connection(id$orig_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins);
 			}
 		else
 			{
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@ -119,29 +119,26 @@ redef record connection += {
 	http_state:  State &optional;
 };
 # Initialize the HTTP logging stream.
 event bro_init() &priority=5
 	{
 	Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
 	}
 # DPD configuration.
 const ports = {
 	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp,
 	8000/tcp, 8080/tcp, 8888/tcp,
 };
 redef dpd_config += { 
 	[[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports],
 };
 redef capture_filters +=  {
 	["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)"
 };
-redef likely_server_ports += { 
+const ports = {
-	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
+	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp,
 	8000/tcp, 8080/tcp, 8888/tcp,
 };
 redef likely_server_ports += { ports };
 # Initialize the HTTP logging stream and ports.
 event bro_init() &priority=5
 	{
 	Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
 	}
 function code_in_range(c: count, min: count, max: count) : bool
 	{
 	return c >= min && c <= max;
--- a/scripts/base/protocols/irc/dcc-send.bro
+++ b/scripts/base/protocols/irc/dcc-send.bro
@ -104,7 +104,7 @@ event irc_dcc_message(c: connection, is_orig: bool,
 	c$irc$dcc_file_name = argument;
 	c$irc$dcc_file_size = size;
 	local p = count_to_port(dest_port, tcp);
-	expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min);
+	Analyzer::expect_connection(to_addr("0.0.0.0"), address, p, Analyzer::ANALYZER_FILE, 5 min);
 	dcc_expected_transfers[address, p] = c$irc;
 	}
--- a/scripts/base/protocols/irc/main.bro
+++ b/scripts/base/protocols/irc/main.bro
@ -45,14 +45,13 @@ redef capture_filters += { ["irc-6668"] = "port 6668" };
 redef capture_filters += { ["irc-6669"] = "port 6669" };
 # DPD configuration.
-const irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
+const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
-redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] };
+redef likely_server_ports += { ports };
 redef likely_server_ports += { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
 event bro_init() &priority=5
 	{
 	Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports);
 	}
 function new_session(c: connection): Info
--- a/scripts/base/protocols/modbus/main.bro
+++ b/scripts/base/protocols/modbus/main.bro
@ -31,12 +31,14 @@ redef record connection += {
 # Configure DPD and the packet filter.
 redef capture_filters += { ["modbus"] = "tcp port 502" };
-redef dpd_config += { [ANALYZER_MODBUS] = [$ports = set(502/tcp)] };
+
-redef likely_server_ports += { 502/tcp };
+const ports = { 502/tcp };
 redef likely_server_ports += { ports };
 event bro_init() &priority=5
 	{
 	Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports);
 	}
 event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) &priority=5
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@ -74,9 +74,6 @@ export {
 	const mail_path_capture = ALL_HOSTS &redef;
 	global log_smtp: event(rec: Info);
 	## Configure the default ports for SMTP analysis.
 	const ports = { 25/tcp, 587/tcp } &redef;
 }
 redef record connection += { 
@ -86,13 +83,14 @@ redef record connection += {
 # Configure DPD
 redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" };
 redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] };
-redef likely_server_ports += { 25/tcp, 587/tcp };
+const ports = { 25/tcp, 587/tcp };
 redef likely_server_ports += { ports };
 event bro_init() &priority=5
 	{
 	Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports);
 	}
 function find_address_in_smtp_header(header: string): string
--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@ -34,9 +34,13 @@ export {
 	global log_socks: event(rec: Info);
 }
 const ports = { 1080/tcp };
 redef likely_server_ports += { ports };
 event bro_init() &priority=5
 	{
 	Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);
 	}
 redef record connection += {
@ -45,7 +49,6 @@ redef record connection += {
 # Configure DPD
 redef capture_filters += { ["socks"] = "tcp port 1080" };
 redef dpd_config += { [ANALYZER_SOCKS] = [$ports = set(1080/tcp)] };
 redef likely_server_ports += { 1080/tcp };
 function set_session(c: connection, version: count)
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@ -76,10 +76,11 @@ export {
 }
 # Configure DPD and the packet filter
 redef capture_filters += { ["ssh"] = "tcp port 22" };
 redef dpd_config += { [ANALYZER_SSH] = [$ports = set(22/tcp)] };
-redef likely_server_ports += { 22/tcp };
+const ports = { 22/tcp };
 redef capture_filters += { ["ssh"] = "tcp port 22" };
 redef likely_server_ports += { ports };
 redef record connection += {
 	ssh: Info &optional;
@ -88,6 +89,7 @@ redef record connection += {
 event bro_init() &priority=5
 {
 	Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
 }
 function set_session(c: connection)
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@ -94,11 +94,6 @@ redef record Info += {
 		delay_tokens: set[string] &optional;
 };
 event bro_init() &priority=5
 	{
 	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]);
 	}
 redef capture_filters += {
 	["ssl"] = "tcp port 443",
 	["nntps"] = "tcp port 563",
@ -117,16 +112,9 @@ redef capture_filters += {
 const ports = {
 	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
 	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
-};
+} &redef;
-redef dpd_config += {
+redef likely_server_ports += { ports };
 	[[ANALYZER_SSL]] = [$ports = ports]
 };
 redef likely_server_ports += {
 	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
 	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
 };
 # A queue that buffers log records.
 global log_delay_queue: table[count] of Info;
@ -135,6 +123,12 @@ global log_delay_queue_head = 0;
 # The bottom queue index that points to the next record to be flushed.
 global log_delay_queue_tail = 0;
 event bro_init() &priority=5
 	{
 	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ports);
 	}
 function set_session(c: connection)
 	{
 	if ( ! c?$ssl )
@ -288,14 +282,14 @@ event ssl_established(c: connection) &priority=-5
 	finish(c);
 	}
-event protocol_confirmation(c: connection, atype: count, aid: count) &priority=5
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
 	{
 	# Check by checking for existence of c$ssl record.
-	if ( c?$ssl && analyzer_name(atype) == "SSL" )
+	if ( c?$ssl && atype == Analyzer::ANALYZER_SSL )
 		c$ssl$analyzer_id = aid;
 	}
-event protocol_violation(c: connection, atype: count, aid: count,
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
                         reason: string) &priority=5
 	{
 	if ( c?$ssl )
--- a/scripts/base/protocols/syslog/main.bro
+++ b/scripts/base/protocols/syslog/main.bro
@ -27,10 +27,9 @@ export {
 }
 redef capture_filters += { ["syslog"] = "port 514" };
 const ports = { 514/udp } &redef;
 redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] };
-redef likely_server_ports += { 514/udp };
+const ports = { 514/udp };
 redef likely_server_ports += { ports };
 redef record connection += {
 	syslog: Info &optional;
@ -39,6 +38,7 @@ redef record connection += {
 event bro_init() &priority=5
 	{
 	Log::create_stream(Syslog::LOG, [$columns=Info]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG_BINPAC, ports);
 	}
 event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5
--- a/scripts/policy/frameworks/dpd/detect-protocols.bro
+++ b/scripts/policy/frameworks/dpd/detect-protocols.bro
@ -21,22 +21,22 @@ export {
 	type dir: enum { NONE, INCOMING, OUTGOING, BOTH };
-	const valids: table[count, addr, port] of dir = {
+	const valids: table[Analyzer::Tag, addr, port] of dir = {
 		# A couple of ports commonly used for benign HTTP servers.
 		# For now we want to see everything.
-		# [ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING,
+		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING,
-		# [ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING,
+		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING,
-		# [ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING,
+		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING,
-		# [ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING,
+		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING,
-		# [ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING,
+		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING,
-		# [ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING,
+		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING,
-		# [ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING,
+		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING,
 		#
-		# [ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella
+		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella
-		# [ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella
+		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella
-		# [ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella
+		# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella
 	} &redef;
 	# Set of analyzers for which we suppress Server_Found notices
@ -44,8 +44,8 @@ export {
 	# log files, this also saves memory because for these we don't
 	# need to remember which servers we already have reported, which
 	# for some can be a lot.
-	const suppress_servers: set [count] = {
+	const suppress_servers: set [Analyzer::Tag] = {
-		# ANALYZER_HTTP
+		# Analyzer::ANALYZER_HTTP
 	} &redef;
 	# We consider a connection to use a protocol X if the analyzer for X
@ -60,7 +60,7 @@ export {
 	# Entry point for other analyzers to report that they recognized
 	# a certain (sub-)protocol.
-	global found_protocol: function(c: connection, analyzer: count,
+	global found_protocol: function(c: connection, analyzer: Analyzer::Tag,
 					protocol: string);
 	# Table keeping reported (server, port, analyzer) tuples (and their
@ -89,7 +89,7 @@ function get_protocol(c: connection, a: count) : protocol
 			str = |str| > 0 ? fmt("%s/%s", str, p) : p;
 		}
-	return [$a=analyzer_name(a), $sub=str];
+	return [$a=Analyzer::name(a), $sub=str];
 	}
 function fmt_protocol(p: protocol) : string
@ -194,10 +194,10 @@ event connection_state_remove(c: connection)
 	report_protocols(c);
 	}
-event protocol_confirmation(c: connection, atype: count, aid: count)
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
 	{
 	# Don't report anything running on a well-known port.
-	if ( atype in dpd_config && c$id$resp_p in dpd_config[atype]$ports )
+	if ( c$id$resp_p in Analyzer::registered_ports(atype) )
 		return;
 	if ( c$id in conns )
@ -214,11 +214,10 @@ event protocol_confirmation(c: connection, atype: count, aid: count)
 		}
 	}
-function found_protocol(c: connection, analyzer: count, protocol: string)
+function found_protocol(c: connection, analyzer: Analyzer::tag, protocol: string)
 	{
 	# Don't report anything running on a well-known port.
-	if ( analyzer in dpd_config &&
+	if ( c$id$resp_p in Analyzer::registered_ports(atype) )
 	     c$id$resp_p in dpd_config[analyzer]$ports )
 		return;
 	if ( c$id !in protocols )
--- a/scripts/policy/frameworks/dpd/packet-segment-logging.bro
+++ b/scripts/policy/frameworks/dpd/packet-segment-logging.bro
@ -20,7 +20,7 @@ export {
 }
-event protocol_violation(c: connection, atype: count, aid: count,
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
                         reason: string) &priority=4
 	{
 	if ( ! c?$dpd ) return;
--- a/scripts/policy/protocols/conn/known-services.bro
+++ b/scripts/policy/protocols/conn/known-services.bro
@ -87,7 +87,7 @@ function known_services_done(c: connection)
 		event log_it(network_time(), id$resp_h, id$resp_p, c$service);
 	}
-event protocol_confirmation(c: connection, atype: count, aid: count) &priority=-5
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=-5
 	{
 	known_services_done(c);
 	}
--- a/src/AYIYA.cc
+++ b/src/AYIYA.cc
@ -1,7 +1,7 @@
 #include "AYIYA.h"
 AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn)
-: Analyzer(AnalyzerTag::AYIYA, conn)
+: Analyzer("AYIYA", conn)
 	{
 	interp = new binpac::AYIYA::AYIYA_Conn(this);
 	}
--- a/src/AYIYA.h
+++ b/src/AYIYA.h
@ -3,7 +3,7 @@
 #include "ayiya_pac.h"
-class AYIYA_Analyzer : public Analyzer {
+class AYIYA_Analyzer : public analyzer::Analyzer {
 public:
 	AYIYA_Analyzer(Connection* conn);
 	virtual ~AYIYA_Analyzer();
@ -12,7 +12,7 @@ public:
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new AYIYA_Analyzer(conn); }
 	static bool Available()
--- a/src/AnalyzerTags.h
+++ b/src/AnalyzerTags.h
@ -1,57 +0,0 @@
 #ifndef ANALYZERTAGS_H
 #define ANALYZERTAGS_H
 // Each kind of analyzer gets a tag. When adding an analyzer here, also adapt
 // the table of analyzers in Analyzer.cc.
 //
 // Using a namespace here is kind of a hack: ideally this would be in "class
 // Analyzer {...}". But then we'd have circular dependencies across the header
 // files.
 #include "util.h"
 typedef uint32 AnalyzerID;
 namespace AnalyzerTag {
 	enum Tag {
 		Error = 0,	// used as error code
 		// Analyzer in charge of protocol detection.
 		PIA_TCP, PIA_UDP,
 		// Transport-layer analyzers.
 		ICMP, TCP, UDP,
 		// Application-layer analyzers (hand-written).
 		BitTorrent, BitTorrentTracker,
 		DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC,
 		Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin,
 		RPC, Rsh, SMB, SMTP, SSH,
 		Telnet,
 		// Application-layer analyzers, binpac-generated.
 		DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC,
 		HTTP_BINPAC, SSL, SYSLOG_BINPAC,
 		Modbus,
 		// Decapsulation analyzers.
 		AYIYA,
 		SOCKS,
 		Teredo,
 		GTPv1,
 		// Other
 		File, Backdoor, InterConn, SteppingStone, TCPStats,
 		ConnSize,
 		// Support-analyzers
 		Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP,
 		Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh,
 		Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS,
 		FTP_ADAT,
 		// End-marker.
 		LastAnalyzer
 	};
 };
 #endif
--- a/src/BackDoor.cc
+++ b/src/BackDoor.cc
@ -681,7 +681,7 @@ int BackDoorEndpoint::CheckForString(const char* str,
 BackDoor_Analyzer::BackDoor_Analyzer(Connection* c)
-: TCP_ApplicationAnalyzer(AnalyzerTag::Backdoor, c)
+: TCP_ApplicationAnalyzer("BACKDOOR", c)
 	{
 	orig_endp = resp_endp = 0;
--- a/src/BackDoor.h
+++ b/src/BackDoor.h
@ -71,7 +71,7 @@ public:
 	virtual void Done();
 	void StatTimer(double t, int is_expire);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new BackDoor_Analyzer(conn); }
 	static bool Available()
--- a/src/Base64.cc
+++ b/src/Base64.cc
@ -84,7 +84,7 @@ int* Base64Converter::InitBase64Table(const string& alphabet)
-Base64Converter::Base64Converter(Analyzer* arg_analyzer, const string& arg_alphabet)
+Base64Converter::Base64Converter(analyzer::Analyzer* arg_analyzer, const string& arg_alphabet)
 	{
 	if ( arg_alphabet.size() > 0 )
 		{
--- a/src/Base64.h
+++ b/src/Base64.h
@ -7,7 +7,8 @@
 #include "util.h"
 #include "BroString.h"
-#include "Analyzer.h"
+#include "Reporter.h"
 #include "analyzer/Analyzer.h"
 // Maybe we should have a base class for generic decoders?
 class Base64Converter {
@ -15,7 +16,7 @@ public:
 	// <analyzer> is used for error reporting, and it should be zero when
 	// the decoder is called by the built-in function decode_base64() or encode_base64().
 	// Empty alphabet indicates the default base64 alphabet.
-	Base64Converter(Analyzer* analyzer, const string& alphabet = "");
+	Base64Converter(analyzer::Analyzer* analyzer, const string& alphabet = "");
 	~Base64Converter();
 	// A note on Decode():
@ -62,7 +63,7 @@ protected:
 	int base64_after_padding;
 	int* base64_table;
 	int errored;	// if true, we encountered an error - skip further processing
-	Analyzer* analyzer;
+	analyzer::Analyzer* analyzer;
 };
--- a/src/BitTorrent.cc
+++ b/src/BitTorrent.cc
@ -4,7 +4,7 @@
 #include "TCP_Reassembler.h"
 BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c)
-: TCP_ApplicationAnalyzer(AnalyzerTag::BitTorrent, c)
+: TCP_ApplicationAnalyzer("BITTORRENT", c)
 	{
 	interp = new binpac::BitTorrent::BitTorrent_Conn(this);
 	stop_orig = stop_resp = false;
--- a/src/BitTorrent.h
+++ b/src/BitTorrent.h
@ -17,7 +17,7 @@ public:
 	virtual void Undelivered(int seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new BitTorrent_Analyzer(conn); }
 	static bool Available()
--- a/src/BitTorrentTracker.cc
+++ b/src/BitTorrentTracker.cc
@ -18,7 +18,7 @@ static RecordType* bittorrent_benc_value;
 static TableType* bittorrent_benc_dir;
 BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c)
-: TCP_ApplicationAnalyzer(AnalyzerTag::BitTorrentTracker, c)
+: TCP_ApplicationAnalyzer("BITTORRENT", c)
 	{
 	if ( ! bt_tracker_headers )
 		{
--- a/src/BitTorrentTracker.h
+++ b/src/BitTorrentTracker.h
@ -50,7 +50,7 @@ public:
 	virtual void Undelivered(int seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new BitTorrentTracker_Analyzer(conn); }
 	static bool Available()
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -141,6 +141,7 @@ macro(GET_BIF_OUTPUT_FILES inputFile outputFileVar)
 endmacro(GET_BIF_OUTPUT_FILES)
 set(BIF_SRCS
    analyzer.bif
    bro.bif
    logging.bif
    input.bif
@ -283,7 +284,6 @@ set(bro_SRCS
    net_util.cc
    util.cc
    module_util.cc
    Analyzer.cc
    Anon.cc
    ARP.cc
    Attr.cc
@ -318,7 +318,6 @@ set(bro_SRCS
    Desc.cc
    Dict.cc
    Discard.cc
    DPM.cc
    EquivClass.cc
    Event.cc
    EventHandler.cc
@ -447,6 +446,16 @@ set(bro_SRCS
    input/readers/Raw.cc
    input/readers/Benchmark.cc
    plugin/Component.cc
    plugin/Manager.cc
    plugin/Plugin.cc
    analyzer/Analyzer.cc
    analyzer/BuiltinAnalyzers.cc
    analyzer/Manager.cc
    analyzer/PluginComponent.cc
    analyzer/Tag.cc
    nb_dns.c
    digest.h
 )
--- a/src/Conn.cc
+++ b/src/Conn.cc
@ -14,6 +14,7 @@
 #include "PIA.h"
 #include "binpac.h"
 #include "TunnelEncapsulation.h"
 #include "analyzer/Analyzer.h"
 void ConnectionTimer::Init(Connection* arg_conn, timer_func arg_timer,
 				int arg_do_expire)
@ -402,16 +403,21 @@ RecordVal* Connection::BuildConnVal()
 	return conn_val;
 	}
-Analyzer* Connection::FindAnalyzer(AnalyzerID id)
+analyzer::Analyzer* Connection::FindAnalyzer(analyzer::ID id)
 	{
 	return root_analyzer ? root_analyzer->FindChild(id) : 0;
 	}
-Analyzer* Connection::FindAnalyzer(AnalyzerTag::Tag tag)
+analyzer::Analyzer* Connection::FindAnalyzer(analyzer::Tag tag)
 	{
 	return root_analyzer ? root_analyzer->FindChild(tag) : 0;
 	}
 analyzer::Analyzer* Connection::FindAnalyzer(const string& name)
 	{
 	return root_analyzer->FindChild(name);
 	}
 void Connection::AppendAddl(const char* str)
 	{
 	Unref(BuildConnVal());
@ -540,7 +546,7 @@ Val* Connection::BuildVersionVal(const char* s, int len)
 	}
 int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len,
-					Analyzer* analyzer)
+					analyzer::Analyzer* analyzer)
 	{
 	if ( ! software_version_found && ! software_parse_error )
 		return 1;
@ -578,7 +584,7 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len,
 	}
 int Connection::UnparsedVersionFoundEvent(const IPAddr& addr,
-					const char* full, int len, Analyzer* analyzer)
+					const char* full, int len, analyzer::Analyzer* analyzer)
 	{
 	// Skip leading white space.
 	while ( len && isspace(*full) )
@ -602,7 +608,7 @@ int Connection::UnparsedVersionFoundEvent(const IPAddr& addr,
 	return 1;
 	}
-void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, const char* name)
+void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name)
 	{
 	if ( ! f )
 		return;
@ -615,7 +621,7 @@ void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, const char* name)
 	ConnectionEvent(f, analyzer, vl);
 	}
-void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2)
+void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2)
 	{
 	if ( ! f )
 		{
@ -634,7 +640,7 @@ void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2)
 	ConnectionEvent(f, analyzer, vl);
 	}
-void Connection::ConnectionEvent(EventHandlerPtr f, Analyzer* a, val_list* vl)
+void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl)
 	{
 	if ( ! f )
 		{
@ -929,7 +935,7 @@ error:
 	return false;
 	}
-void Connection::SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia)
+void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia)
 	{
 	root_analyzer = analyzer;
 	primary_PIA = pia;
--- a/src/Conn.h
+++ b/src/Conn.h
@ -11,19 +11,22 @@
 #include "Serializer.h"
 #include "PersistenceSerializer.h"
 #include "RuleMatcher.h"
 #include "AnalyzerTags.h"
 #include "IPAddr.h"
 #include "TunnelEncapsulation.h"
 #include "analyzer/Tag.h"
 #include "analyzer/Analyzer.h"
 class Connection;
 class ConnectionTimer;
 class NetSessions;
 class LoginConn;
 class RuleHdrTest;
 class Specific_RE_Matcher;
 class TransportLayerAnalyzer;
 class RuleEndpointState;
 namespace analyzer { class TransportLayerAnalyzer; }
 typedef enum {
 	NUL_IN_LINE,
 	SINGULAR_CR,
@ -47,7 +50,7 @@ static inline int addr_port_canon_lt(const IPAddr& addr1, uint32 p1,
 	return addr1 < addr2 || (addr1 == addr2 && p1 < p2);
 	}
-class Analyzer;
+namespace analyzer { class Analyzer; }
 class Connection : public BroObj {
 public:
@ -102,8 +105,9 @@ public:
 	void FlipRoles();
-	Analyzer* FindAnalyzer(AnalyzerID id);
+	analyzer::Analyzer* FindAnalyzer(analyzer::ID id);
-	Analyzer* FindAnalyzer(AnalyzerTag::Tag tag);	// find first in tree.
+	analyzer::Analyzer* FindAnalyzer(analyzer::Tag tag);	// find first in tree.
 	analyzer::Analyzer* FindAnalyzer(const string& name);	// find first in tree.
 	TransportProto ConnTransport() const { return proto; }
@ -161,15 +165,15 @@ public:
 	// Raises a software_version_found event based on the
 	// given string (returns false if it's not parseable).
 	int VersionFoundEvent(const IPAddr& addr, const char* s, int len,
-				Analyzer* analyzer = 0);
+				analyzer::Analyzer* analyzer = 0);
 	// Raises a software_unparsed_version_found event.
 	int UnparsedVersionFoundEvent(const IPAddr& addr,
-			const char* full_descr, int len, Analyzer* analyzer);
+			const char* full_descr, int len, analyzer::Analyzer* analyzer);
-	void Event(EventHandlerPtr f, Analyzer* analyzer, const char* name = 0);
+	void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name = 0);
-	void Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2 = 0);
+	void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = 0);
-	void ConnectionEvent(EventHandlerPtr f, Analyzer* analyzer,
+	void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
 				val_list* vl);
 	void Weird(const char* name, const char* addl = "");
@ -241,8 +245,8 @@ public:
 	void DeleteTimer(double t);
 	// Sets the root of the analyzer tree as well as the primary PIA.
-	void SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia);
+	void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia);
-	TransportLayerAnalyzer* GetRootAnalyzer()	{ return root_analyzer; }
+	analyzer::TransportLayerAnalyzer* GetRootAnalyzer()	{ return root_analyzer; }
 	PIA* GetPrimaryPIA()	{ return primary_PIA; }
 	// Sets the transport protocol in use.
@ -314,7 +318,7 @@ protected:
 	string history;
 	uint32 hist_seen;
-	TransportLayerAnalyzer* root_analyzer;
+	analyzer::TransportLayerAnalyzer* root_analyzer;
 	PIA* primary_PIA;
 	uint64 uid;	// Globally unique connection ID.
--- a/src/ConnSizeAnalyzer.cc
+++ b/src/ConnSizeAnalyzer.cc
@ -9,7 +9,7 @@
 ConnSize_Analyzer::ConnSize_Analyzer(Connection* c)
-: Analyzer(AnalyzerTag::ConnSize, c)
+: Analyzer("CONNSIZE", c)
 	{
 	}
--- a/src/ConnSizeAnalyzer.h
+++ b/src/ConnSizeAnalyzer.h
@ -4,11 +4,11 @@
 #ifndef CONNSTATS_H
 #define CONNSTATS_H
-#include "Analyzer.h"
+#include "analyzer/Analyzer.h"
 #include "NetVar.h"
-class ConnSize_Analyzer : public Analyzer {
+class ConnSize_Analyzer : public analyzer::Analyzer {
 public:
 	ConnSize_Analyzer(Connection* c);
 	virtual ~ConnSize_Analyzer();
@ -20,7 +20,7 @@ public:
 	virtual void UpdateConnVal(RecordVal *conn_val);
 	virtual void FlipRoles();
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new ConnSize_Analyzer(conn); }
 	static bool Available()	{ return BifConst::use_conn_size_analyzer ; }
--- a/src/ContentLine.cc
+++ b/src/ContentLine.cc
@ -4,14 +4,13 @@
 #include "TCP.h"
 ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig)
-: TCP_SupportAnalyzer(AnalyzerTag::ContentLine, conn, orig)
+: TCP_SupportAnalyzer("CONTENTLINE", conn, orig)
 	{
 	InitState();
 	}
-ContentLine_Analyzer::ContentLine_Analyzer(AnalyzerTag::Tag tag,
+ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig)
-						Connection* conn, bool orig)
+: TCP_SupportAnalyzer(name, conn, orig)
 : TCP_SupportAnalyzer(tag, conn, orig)
 	{
 	InitState();
 	}
--- a/src/ContentLine.h
+++ b/src/ContentLine.h
@ -55,7 +55,7 @@ public:
 		{ return seq + length <= seq_to_skip; }
 protected:
-	ContentLine_Analyzer(AnalyzerTag::Tag tag, Connection* conn, bool orig);
+	ContentLine_Analyzer(const char* name, Connection* conn, bool orig);
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
 	virtual void Undelivered(int seq, int len, bool orig);
--- a/src/DCE_RPC.cc
+++ b/src/DCE_RPC.cc
@ -10,7 +10,8 @@ using namespace std;
 #include "DCE_RPC.h"
 #include "Sessions.h"
-#include "DPM.h"
+
 #include "analyzer/Manager.h"
 #define xbyte(b, n) (((const u_char*) (b))[n])
@ -160,11 +161,11 @@ static void add_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr,
 	// of the dce_rpc_endpoints table.
 	// FIXME: Don't hard-code the timeout.
-	dpm->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto,
+	analyzer_mgr->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto,
-				AnalyzerTag::DCE_RPC, 5 * 60, 0);
+				       "DCE_RPC", 5 * 60, 0);
 	}
-DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b)
+DCE_RPC_Header::DCE_RPC_Header(analyzer::Analyzer* a, const u_char* b)
 	{
 	analyzer = a;
 	bytes = b;
@ -183,7 +184,7 @@ DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b)
 	frag_len = extract_uint16(LittleEndian(), bytes + 8);
 	}
-DCE_RPC_Session::DCE_RPC_Session(Analyzer* a)
+DCE_RPC_Session::DCE_RPC_Session(analyzer::Analyzer* a)
 : analyzer(a),
  if_uuid("00000000-0000-0000-0000-000000000000"),
  if_id(BifEnum::DCE_RPC_unknown_if)
@ -442,7 +443,7 @@ void DCE_RPC_Session::DeliverEpmapperMapResponse(
 Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn,
 		bool orig, DCE_RPC_Session* arg_session, bool speculative)
-: TCP_SupportAnalyzer(AnalyzerTag::Contents_DCE_RPC, conn, orig)
+: TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig)
 	{
 	session = arg_session;
 	msg_buf = 0;
@ -566,7 +567,7 @@ bool Contents_DCE_RPC_Analyzer::ParseHeader()
 	}
 DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative)
-: TCP_ApplicationAnalyzer(AnalyzerTag::DCE_RPC, conn)
+: TCP_ApplicationAnalyzer("DCE_RPC", conn)
 	{
 	session = new DCE_RPC_Session(this);
 	speculative = arg_speculative;
--- a/src/DCE_RPC.h
+++ b/src/DCE_RPC.h
@ -88,7 +88,7 @@ enum DCE_RPC_PTYPE {
 class DCE_RPC_Header {
 public:
-	DCE_RPC_Header(Analyzer* a, const u_char* bytes);
+	DCE_RPC_Header(analyzer::Analyzer* a, const u_char* bytes);
 	BifEnum::dce_rpc_ptype PTYPE() const	{ return ptype; }
 	int FragLen() const		{ return frag_len; }
@ -99,7 +99,7 @@ public:
 	void SetBytes(const u_char* b)	{ bytes = b; }
 protected:
-	Analyzer* analyzer;
+	analyzer::Analyzer* analyzer;
 	const u_char* bytes;
 	BifEnum::dce_rpc_ptype ptype;
 	int frag_len;
@ -112,7 +112,7 @@ protected:
 class DCE_RPC_Session {
 public:
-	DCE_RPC_Session(Analyzer* a);
+	DCE_RPC_Session(analyzer::Analyzer* a);
 	virtual ~DCE_RPC_Session() {}
 	virtual void DeliverPDU(int is_orig, int len, const u_char* data);
@ -135,7 +135,7 @@ protected:
 			const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu,
 			const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp);
-	Analyzer* analyzer;
+	analyzer::Analyzer* analyzer;
 	UUID if_uuid;
 	BifEnum::dce_rpc_if_id if_id;
 	int opnum;
@ -174,7 +174,7 @@ public:
 	DCE_RPC_Analyzer(Connection* conn, bool speculative = false);
 	~DCE_RPC_Analyzer();
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new DCE_RPC_Analyzer(conn); }
 	static bool Available()
--- a/src/DHCP-binpac.cc
+++ b/src/DHCP-binpac.cc
@ -1,7 +1,7 @@
 #include "DHCP-binpac.h"
 DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn)
-: Analyzer(AnalyzerTag::DHCP_BINPAC, conn)
+: Analyzer("DHCP", conn)
 	{
 	interp = new binpac::DHCP::DHCP_Conn(this);
 	}
--- a/src/DHCP-binpac.h
+++ b/src/DHCP-binpac.h
@ -6,7 +6,7 @@
 #include "dhcp_pac.h"
-class DHCP_Analyzer_binpac : public Analyzer {
+class DHCP_Analyzer_binpac : public analyzer::Analyzer {
 public:
 	DHCP_Analyzer_binpac(Connection* conn);
 	virtual ~DHCP_Analyzer_binpac();
@ -15,7 +15,7 @@ public:
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new DHCP_Analyzer_binpac(conn); }
 	static bool Available()
--- a/src/DNS-binpac.cc
+++ b/src/DNS-binpac.cc
@ -2,7 +2,7 @@
 #include "TCP_Reassembler.h"
 DNS_UDP_Analyzer_binpac::DNS_UDP_Analyzer_binpac(Connection* conn)
-: Analyzer(AnalyzerTag::DNS_UDP_BINPAC, conn)
+: Analyzer("DNS_UDP_BINPAC", conn)
 	{
 	interp = new binpac::DNS::DNS_Conn(this);
 	did_session_done = 0;
@ -45,7 +45,7 @@ void DNS_UDP_Analyzer_binpac::ExpireTimer(double t)
 	}
 DNS_TCP_Analyzer_binpac::DNS_TCP_Analyzer_binpac(Connection* conn)
-: TCP_ApplicationAnalyzer(AnalyzerTag::DNS_TCP_BINPAC, conn)
+: TCP_ApplicationAnalyzer("DNS_TCP_BINPAC", conn)
 	{
 	interp = new binpac::DNS_on_TCP::DNS_TCP_Conn(this);
 	}
--- a/src/DNS-binpac.h
+++ b/src/DNS-binpac.h
@ -11,7 +11,7 @@
 // change that easily? (Ideally, the TCP preprocessing would become a
 // support-analyzer as it is done for the traditional DNS analyzer.)
-class DNS_UDP_Analyzer_binpac : public Analyzer {
+class DNS_UDP_Analyzer_binpac : public analyzer::Analyzer {
 public:
 	DNS_UDP_Analyzer_binpac(Connection* conn);
 	virtual ~DNS_UDP_Analyzer_binpac();
@ -20,7 +20,7 @@ public:
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new DNS_UDP_Analyzer_binpac(conn); }
 	static bool Available()
@ -47,7 +47,7 @@ public:
 	virtual void Undelivered(int seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new DNS_TCP_Analyzer_binpac(conn); }
 	static bool Available()
--- a/src/DNS.cc
+++ b/src/DNS.cc
@ -12,7 +12,7 @@
 #include "Sessions.h"
 #include "Event.h"
-DNS_Interpreter::DNS_Interpreter(Analyzer* arg_analyzer)
+DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer)
 	{
 	analyzer = arg_analyzer;
 	}
@ -993,7 +993,7 @@ Val* DNS_MsgInfo::BuildTSIG_Val()
 Contents_DNS::Contents_DNS(Connection* conn, bool orig,
 				DNS_Interpreter* arg_interp)
-: TCP_SupportAnalyzer(AnalyzerTag::Contents_DNS, conn, orig)
+: TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
 	{
 	interp = arg_interp;
@ -1080,7 +1080,7 @@ void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig)
 	}
 DNS_Analyzer::DNS_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer(AnalyzerTag::DNS, conn)
+: TCP_ApplicationAnalyzer("DNS", conn)
 	{
 	interp = new DNS_Interpreter(this);
 	contents_dns_orig = contents_dns_resp = 0;
--- a/src/DNS.h
+++ b/src/DNS.h
@ -149,7 +149,7 @@ public:
 class DNS_Interpreter {
 public:
-	DNS_Interpreter(Analyzer* analyzer);
+	DNS_Interpreter(analyzer::Analyzer* analyzer);
 	int ParseMessage(const u_char* data, int len, int is_query);
@ -217,7 +217,7 @@ protected:
 					const u_char*& data, int& len,
 					BroString* question_name);
-	Analyzer* analyzer;
+	analyzer::Analyzer* analyzer;
 };
@ -266,7 +266,7 @@ public:
 	void ExpireTimer(double t);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new DNS_Analyzer(conn); }
 	static bool Available()
--- a/src/DPM.cc
+++ b/src/DPM.cc
@ -1,407 +0,0 @@
 #include "DPM.h"
 #include "PIA.h"
 #include "Hash.h"
 #include "ICMP.h"
 #include "UDP.h"
 #include "TCP.h"
 #include "Val.h"
 #include "BackDoor.h"
 #include "InterConn.h"
 #include "SteppingStone.h"
 #include "ConnSizeAnalyzer.h"
 ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp,
 				uint16 _resp_p, uint16 _proto)
 	{
 	if ( _orig == IPAddr(string("0.0.0.0")) )
 		// don't use the IPv4 mapping, use the literal unspecified address
 		// to indicate a wildcard
 		orig = IPAddr(string("::"));
 	else
 		orig = _orig;
 	resp = _resp;
 	resp_p = _resp_p;
 	proto = _proto;
 	}
 ExpectedConn::ExpectedConn(const ExpectedConn& c)
 	{
 	orig = c.orig;
 	resp = c.resp;
 	resp_p = c.resp_p;
 	proto = c.proto;
 	}
 DPM::DPM()
 : expected_conns_queue(AssignedAnalyzer::compare)
 	{
 	}
 DPM::~DPM()
 	{
 	delete [] active_analyzers;
 	}
 void DPM::PreScriptInit()
 	{
 	for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ )
 		{
 		// Create IDs ANALYZER_*.
 		ID* id = install_ID(fmt("ANALYZER_%s",
 				Analyzer::analyzer_configs[i].name),
 					GLOBAL_MODULE_NAME, true, false);
 		assert(id);
 		id->SetVal(new Val(i, TYPE_COUNT));
 		id->SetType(id->ID_Val()->Type()->Ref());
 		}
 	}
 void DPM::PostScriptInit()
 	{
 	active_analyzers = new bool[int(AnalyzerTag::LastAnalyzer)];
 	for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ )
 		{
 		if ( ! Analyzer::analyzer_configs[i].available )
 			continue;
 		active_analyzers[i] = Analyzer::analyzer_configs[i].available();
 		if ( active_analyzers[i] )
 			AddConfig(Analyzer::analyzer_configs[i]);
 		}
 	}
 void DPM::AddConfig(const Analyzer::Config& cfg)
 	{
 #ifdef USE_PERFTOOLS_DEBUG
 	HeapLeakChecker::Disabler disabler;
 #endif
 	Val* index = new Val(cfg.tag, TYPE_COUNT);
 	Val* v = dpd_config->Lookup(index);
 #ifdef DEBUG
 	ODesc desc;
 #endif
 	if ( v )
 		{
 		RecordVal* cfg_record = v->AsRecordVal();
 		Val* ports = cfg_record->Lookup(0);
 		if ( ports )
 			{
 			ListVal* plist = ports->AsTableVal()->ConvertToPureList();
 			for ( int i = 0; i< plist->Length(); ++i )
 				{
 				PortVal* port = plist->Index(i)->AsPortVal();
 				analyzer_map* ports =
 					port->IsTCP() ? &tcp_ports : &udp_ports;
 				analyzer_map::iterator j =
 					ports->find(port->Port());
 				if ( j == ports->end() )
 					{
 					tag_list* analyzers = new tag_list;
 					analyzers->push_back(cfg.tag);
 					ports->insert(analyzer_map::value_type(port->Port(), analyzers));
 					}
 				else
 					j->second->push_back(cfg.tag);
 #ifdef DEBUG
 				port->Describe(&desc);
 				desc.SP();
 #endif
 				}
 			}
 		}
 	DBG_LOG(DBG_DPD, "%s analyzer active on port(s) %s", cfg.name, desc.Description());
 	Unref(index);
 	}
 AnalyzerTag::Tag DPM::GetExpected(int proto, const Connection* conn)
 	{
 	if ( ! expected_conns.Length() )
 		return AnalyzerTag::Error;
 	ExpectedConn c(conn->OrigAddr(), conn->RespAddr(),
 			ntohs(conn->RespPort()), proto);
 	HashKey* key = BuildExpectedConnHashKey(c);
 	AssignedAnalyzer* a = expected_conns.Lookup(key);
 	delete key;
 	if ( ! a )
 		{
 		// Wildcard for originator.
 		c.orig = IPAddr(string("::"));
 		HashKey* key = BuildExpectedConnHashKey(c);
 		a = expected_conns.Lookup(key);
 		delete key;
 		}
 	if ( ! a )
 		return AnalyzerTag::Error;
 	// We don't delete it here.  It will be expired eventually.
 	return a->analyzer;
 	}
 bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 					const u_char* data)
 	{
 	TCP_Analyzer* tcp = 0;
 	UDP_Analyzer* udp = 0;
 	ICMP_Analyzer* icmp = 0;
 	TransportLayerAnalyzer* root = 0;
 	AnalyzerTag::Tag expected = AnalyzerTag::Error;
 	analyzer_map* ports = 0;
 	PIA* pia = 0;
 	bool analyzed = false;
 	switch ( proto ) {
 	case TRANSPORT_TCP:
 		root = tcp = new TCP_Analyzer(conn);
 		pia = new PIA_TCP(conn);
 		expected = GetExpected(proto, conn);
 		ports = &tcp_ports;
 		DBG_DPD(conn, "activated TCP analyzer");
 		break;
 	case TRANSPORT_UDP:
 		root = udp = new UDP_Analyzer(conn);
 		pia = new PIA_UDP(conn);
 		expected = GetExpected(proto, conn);
 		ports = &udp_ports;
 		DBG_DPD(conn, "activated UDP analyzer");
 		break;
 	case TRANSPORT_ICMP: {
 		root = icmp = new ICMP_Analyzer(conn);
 		DBG_DPD(conn, "activated ICMP analyzer");
 		analyzed = true;
 		break;
 		}
 	default:
 		reporter->InternalError("unknown protocol");
 	}
 	if ( ! root )
 		{
 		DBG_DPD(conn, "cannot build analyzer tree");
 		return false;
 		}
 	// Any scheduled analyzer?
 	if ( expected != AnalyzerTag::Error )
 		{
 		Analyzer* analyzer =
 			Analyzer::InstantiateAnalyzer(expected, conn);
 		root->AddChildAnalyzer(analyzer, false);
 		DBG_DPD_ARGS(conn, "activated %s analyzer as scheduled",
 			Analyzer::GetTagName(expected));
 		// Hmm... Do we want *just* the expected analyzer, or all
 		// other potential analyzers as well?  For now we only take
 		// the scheduled one.
 		}
 	else
 		{ // Let's see if it's a port we know.
 		if ( ports && ! dpd_ignore_ports )
 			{
 			analyzer_map::const_iterator i =
 				ports->find(ntohs(conn->RespPort()));
 			if ( i != ports->end() )
 				{
 				tag_list* analyzers = i->second;
 				for ( tag_list::const_iterator j = analyzers->begin();
 				      j != analyzers->end(); j++ )
 					{
 					Analyzer* analyzer =
 					Analyzer::InstantiateAnalyzer(*j, conn);
 					root->AddChildAnalyzer(analyzer, false);
 					DBG_DPD_ARGS(conn, "activated %s analyzer due to port %d", Analyzer::GetTagName(*j), conn->RespPort());
 					}
 				}
 			}
 		}
 	if ( tcp )
 		{
 		// We have to decide whether to reassamble the stream.
 		// We turn it on right away if we already have an app-layer
 		// analyzer, reassemble_first_packets is true, or the user
 		// asks us to do so.  In all other cases, reassembly may
 		// be turned on later by the TCP PIA.
 		bool reass = root->GetChildren().size() ||
 				dpd_reassemble_first_packets ||
 				tcp_content_deliver_all_orig ||
 				tcp_content_deliver_all_resp;
 		if ( tcp_contents && ! reass )
 			{
 			PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP);
 			Val* result;
 			if ( ! reass )
 				reass = tcp_content_delivery_ports_orig->Lookup(&dport);
 			if ( ! reass )
 				reass = tcp_content_delivery_ports_resp->Lookup(&dport);
 			}
 		if ( reass )
 			tcp->EnableReassembly();
 		// Add a BackDoor analyzer if requested.  This analyzer
 		// can handle both reassembled and non-reassembled input.
 		if ( BackDoor_Analyzer::Available() )
 			{
 			BackDoor_Analyzer* bd = new BackDoor_Analyzer(conn);
 			tcp->AddChildAnalyzer(bd, false);
 			}
 		// Add a InterConn analyzer if requested.  This analyzer
 		// can handle both reassembled and non-reassembled input.
 		if ( InterConn_Analyzer::Available() )
 			{
 			InterConn_Analyzer* bd = new InterConn_Analyzer(conn);
 			tcp->AddChildAnalyzer(bd, false);
 			}
 		// Add a SteppingStone analyzer if requested.  The port
 		// should really not be hardcoded here, but as it can
 		// handle non-reassembled data, it doesn't really fit into
 		// our general framing ...  Better would be to turn it
 		// on *after* we discover we have interactive traffic.
 		uint16 resp_port = ntohs(conn->RespPort());
 		if ( SteppingStone_Analyzer::Available() &&
 		     (resp_port == 22 || resp_port == 23 || resp_port == 513) )
 			{
 			AddrVal src(conn->OrigAddr());
 			if ( ! stp_skip_src->Lookup(&src) )
 				{
 				SteppingStone_Analyzer* bd =
 					new SteppingStone_Analyzer(conn);
 				tcp->AddChildAnalyzer(bd, false);
 				}
 			}
 		// Add TCPStats analyzer. This needs to see packets so
 		// we cannot add it as a normal child.
 		if ( TCPStats_Analyzer::Available() )
 			tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn));
 		// Add ConnSize analyzer. Needs to see packets, not stream.
 		if ( ConnSize_Analyzer::Available() )
 			tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn));
 		}
 	else
 		{
 		if ( ConnSize_Analyzer::Available() )
 			root->AddChildAnalyzer(new ConnSize_Analyzer(conn), false);
 		}
 	if ( pia )
 		root->AddChildAnalyzer(pia->AsAnalyzer(), false);
 	if ( root->GetChildren().size() )
 		analyzed = true;
 	conn->SetRootAnalyzer(root, pia);
 	root->Init();
 	root->InitChildren();
 	if ( ! analyzed )
 		conn->SetLifetime(non_analyzed_lifetime);
 	if ( expected != AnalyzerTag::Error  )
 		conn->Event(expected_connection_seen, 0,
 				new Val(expected, TYPE_COUNT));
 	return true;
 	}
 void DPM::ExpectConnection(const IPAddr& orig, const IPAddr& resp,
 			uint16 resp_p,
 			TransportProto proto, AnalyzerTag::Tag analyzer,
 			double timeout, void* cookie)
 	{
 	// Use the chance to see if the oldest entry is already expired.
 	if ( expected_conns_queue.size() )
 		{
 		AssignedAnalyzer* a = expected_conns_queue.top();
 		if ( a->timeout < network_time )
 			{
 			if ( ! a->deleted )
 				{
 				HashKey* key = BuildExpectedConnHashKey(a->conn);
 				expected_conns.Remove(key);
 				delete key;
 				}
 			expected_conns_queue.pop();
 			DBG_LOG(DBG_DPD, "Expired expected %s analyzer for %s",
 				Analyzer::GetTagName(analyzer),
 				fmt_conn_id(a->conn.orig, 0,
 						a->conn.resp,
 						a->conn.resp_p));
 			delete a;
 			}
 		}
 	ExpectedConn c(orig, resp, resp_p, proto);
 	HashKey* key = BuildExpectedConnHashKey(c);
 	AssignedAnalyzer* a = expected_conns.Lookup(key);
 	if ( a )
 		a->deleted = true;
 	a = new AssignedAnalyzer(c);
 	a->analyzer = analyzer;
 	a->cookie = cookie;
 	a->timeout = network_time + timeout;
 	a->deleted = false;
 	expected_conns.Insert(key, a);
 	expected_conns_queue.push(a);
 	delete key;
 	}
 void DPM::Done()
 	{
 	// Clean up expected-connection table.
 	while ( expected_conns_queue.size() )
 		{
 		AssignedAnalyzer* a = expected_conns_queue.top();
 		if ( ! a->deleted )
 			{
 			HashKey* key = BuildExpectedConnHashKey(a->conn);
 			expected_conns.Remove(key);
 			delete key;
 			}
 		expected_conns_queue.pop();
 		delete a;
 		}
 	}
--- a/src/DPM.h
+++ b/src/DPM.h
@ -1,131 +0,0 @@
 // The central management unit for dynamic analyzer selection.
 #ifndef DPM_H
 #define DPM_H
 #include <queue>
 #include "Analyzer.h"
 #include "Dict.h"
 #include "net_util.h"
 // DPM debug logging, which includes the connection id into the message.
 #ifdef DEBUG
 # define DBG_DPD(conn, txt) \
 	DBG_LOG(DBG_DPD, "%s " txt, \
 		fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \
 		conn->RespAddr(), ntohs(conn->RespPort())));
 # define DBG_DPD_ARGS(conn, fmt, args...) \
 	DBG_LOG(DBG_DPD, "%s " fmt, \
 		fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \
 		conn->RespAddr(), ntohs(conn->RespPort())), ##args);
 #else
 # define DBG_DPD(conn, txt)
 # define DBG_DPD_ARGS(conn, fmt, args...)
 #endif
 // Map to assign expected connections to analyzers.
 class ExpectedConn {
 public:
 	ExpectedConn(const IPAddr& _orig, const IPAddr& _resp,
 			uint16 _resp_p, uint16 _proto);
 	ExpectedConn(const ExpectedConn& c);
 	IPAddr orig;
 	IPAddr resp;
 	uint16 resp_p;
 	uint16 proto;
 };
 // Associates an analyzer for an expected future connection.
 class AssignedAnalyzer {
 public:
 	AssignedAnalyzer(const ExpectedConn& c)
 	: conn(c)
 		{
 		}
 	ExpectedConn conn;
 	AnalyzerTag::Tag analyzer;
 	double timeout;
 	void* cookie;
 	bool deleted;
 	static bool compare(const AssignedAnalyzer* a1, const AssignedAnalyzer* a2)
 		{ return a1->timeout > a2->timeout; }
 };
 declare(PDict, AssignedAnalyzer);
 class DPM {
 public:
 	DPM();
 	~DPM();
 	// Setup analyzer config.
 	void PreScriptInit();	// To be called before scripts are parsed ...
 	void PostScriptInit();	// ... and after.
 	// Given info about the first packet, build initial analyzer tree.
 	//
 	// It would be more flexible if we simply pass in the IP header
 	// and then extract the information we need.  However, when this
 	// method is called from the session management, protocol and ports
 	// have already been extracted there and it would be a waste to do
 	// it again.
 	//
 	// Returns 0 if we can't build a tree (e.g., because the necessary
 	// analyzers have not been converted to the DPM framework yet...)
 	bool BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 					const u_char* data);
 	// Schedules a particular analyzer for an upcoming connection.
 	// 0 acts as a wildcard for orig.  (Cookie is currently unused.
 	// Eventually, we may pass it on to the analyzer).
 	void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p,
 				TransportProto proto, AnalyzerTag::Tag analyzer,
 				double timeout, void* cookie);
 	// Activates signature matching for protocol detection. (Called when an
 	// DPM signatures is found.)
 	void ActivateSigs()		{ sigs_activated = true; }
 	bool SigsActivated() const	{ return sigs_activated; }
 	void Done();
 private:
 	// Convert script-level config into internal data structures.
 	void AddConfig(const Analyzer::Config& tag);
 	// Return analyzer if any has been scheduled with ExpectConnection()
 	// AnalyzerTag::::Error if none.
 	AnalyzerTag::Tag GetExpected(int proto, const Connection* conn);
 	// Mappings of destination port to analyzer.
 	typedef list<AnalyzerTag::Tag> tag_list;
 	typedef map<uint32, tag_list*> analyzer_map;
 	analyzer_map tcp_ports;
 	analyzer_map udp_ports;
 	// Array of bools indicating whether an analyzer is activated,
 	// indexed by AnalyzerTag::Tag.
 	bool* active_analyzers;
 	// True if signature-matching has been activated.
 	bool sigs_activated;
 	PDict(AssignedAnalyzer) expected_conns;
 	typedef priority_queue<
 			AssignedAnalyzer*,
 			vector<AssignedAnalyzer*>,
 			bool (*)(const AssignedAnalyzer*,
 					const AssignedAnalyzer*)> conn_queue;
 	conn_queue expected_conns_queue;
 };
 extern DPM* dpm;
 #endif
--- a/src/Event.cc
+++ b/src/Event.cc
@ -13,7 +13,7 @@ int num_events_queued = 0;
 int num_events_dispatched = 0;
 Event::Event(EventHandlerPtr arg_handler, val_list* arg_args,
-		SourceID arg_src, AnalyzerID arg_aid, TimerMgr* arg_mgr,
+		SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
 		BroObj* arg_obj)
 	{
 	handler = arg_handler;
--- a/src/Event.h
+++ b/src/Event.h
@ -5,14 +5,16 @@
 #include "EventRegistry.h"
 #include "Serializer.h"
-#include "AnalyzerTags.h"
+
 #include "analyzer/Tag.h"
 #include "analyzer/Analyzer.h"
 class EventMgr;
 class Event : public BroObj {
 public:
 	Event(EventHandlerPtr handler, val_list* args,
-		SourceID src = SOURCE_LOCAL, AnalyzerID aid = 0,
+		SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 		TimerMgr* mgr = 0, BroObj* obj = 0);
 	~Event();
@ -20,7 +22,7 @@ public:
 	Event* NextEvent() const	{ return next_event; }
 	SourceID Source() const		{ return src; }
-	AnalyzerID Analyzer() const	{ return aid; }
+	analyzer::ID Analyzer() const	{ return aid; }
 	TimerMgr* Mgr() const		{ return mgr; }
 	void Describe(ODesc* d) const;
@ -62,7 +64,7 @@ protected:
 	EventHandlerPtr handler;
 	val_list* args;
 	SourceID src;
-	AnalyzerID aid;
+	analyzer::ID aid;
 	TimerMgr* mgr;
 	BroObj* obj;
 	Event* next_event;
@ -77,7 +79,7 @@ public:
 	~EventMgr();
 	void QueueEvent(EventHandlerPtr h, val_list* vl,
-			SourceID src = SOURCE_LOCAL, AnalyzerID aid = 0,
+			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 			TimerMgr* mgr = 0, BroObj* obj = 0)
 		{
 		if ( h )
@ -105,7 +107,7 @@ public:
 	// Returns the ID of the analyzer which raised the last event, or 0 if
 	// non-analyzer event.
-	AnalyzerID CurrentAnalyzer() const	{ return current_aid; }
+	analyzer::ID CurrentAnalyzer() const	{ return current_aid; }
 	// Returns the timer mgr associated with the last raised event.
 	TimerMgr* CurrentTimerMgr() const	{ return current_mgr; }
@ -124,7 +126,7 @@ protected:
 	Event* head;
 	Event* tail;
 	SourceID current_src;
-	AnalyzerID current_aid;
+	analyzer::ID current_aid;
 	TimerMgr* current_mgr;
 	RecordVal* src_val;
 	bool draining;
--- a/src/EventLauncher.cc
+++ b/src/EventLauncher.cc
@ -1,6 +1,8 @@
 #include "Val.h"
-#include "Analyzer.h"
+#include "analyzer/Analyzer.h"
 #include "EventLauncher.h"
 #include "Event.h"
 #include "NetVar.h"
 #include "Conn.h"
 #include "event.bif.func_def"
--- a/src/FTP.cc
+++ b/src/FTP.cc
@ -12,7 +12,7 @@
 #include "Base64.h"
 FTP_Analyzer::FTP_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer(AnalyzerTag::FTP, conn)
+: TCP_ApplicationAnalyzer("FTP", conn)
 	{
 	pending_reply = 0;
@ -176,7 +176,7 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
 	// Don't know how to parse anything but the ADAT exchanges of GSI GSSAPI,
 	// which is basically just TLS/SSL.
-	if ( ! Parent()->GetTag() == AnalyzerTag::SSL )
+	if ( ! Parent()->IsAnalyzer("SSL") )
 		{
 		Parent()->Remove();
 		return;
--- a/src/FTP.h
+++ b/src/FTP.h
@ -13,7 +13,7 @@ public:
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{
 		return new FTP_Analyzer(conn);
 		}
@ -22,8 +22,6 @@ public:
 protected:
 	FTP_Analyzer()	{}
 	NVT_Analyzer* nvt_orig;
 	NVT_Analyzer* nvt_resp;
 	uint32 pending_reply;	// code associated with multi-line reply, or 0
@ -37,10 +35,10 @@ protected:
 * analyzer just decodes the tokens and passes them on to the parent, which must
 * be an SSL analyzer instance.
 */
-class FTP_ADAT_Analyzer : public SupportAnalyzer {
+class FTP_ADAT_Analyzer : public analyzer::SupportAnalyzer {
 public:
 	FTP_ADAT_Analyzer(Connection* conn, bool arg_orig)
-	    : SupportAnalyzer(AnalyzerTag::FTP_ADAT, conn, arg_orig),
+	    : SupportAnalyzer("FTP_ADAT", conn, arg_orig),
 	      first_token(true) { }
 	void DeliverStream(int len, const u_char* data, bool orig);
--- a/src/FileAnalyzer.cc
+++ b/src/FileAnalyzer.cc
@ -8,7 +8,7 @@ magic_t File_Analyzer::magic = 0;
 magic_t File_Analyzer::magic_mime = 0;
 File_Analyzer::File_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer(AnalyzerTag::File, conn)
+: TCP_ApplicationAnalyzer("FILE", conn)
 	{
 	buffer_len = 0;
--- a/src/FileAnalyzer.h
+++ b/src/FileAnalyzer.h
@ -15,14 +15,12 @@ public:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new File_Analyzer(conn); }
 	static bool Available()	{ return file_transferred; }
 protected:
 	File_Analyzer()	{}
 	void Identify();
 	static const int BUFFER_SIZE = 1024;
--- a/src/Finger.cc
+++ b/src/Finger.cc
@ -10,7 +10,7 @@
 #include "ContentLine.h"
 Finger_Analyzer::Finger_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer(AnalyzerTag::Finger, conn)
+: TCP_ApplicationAnalyzer("FINGER", conn)
 	{
 	did_deliver = 0;
 	content_line_orig = new ContentLine_Analyzer(conn, true);
--- a/src/Finger.h
+++ b/src/Finger.h
@ -16,7 +16,7 @@ public:
 	// Line-based input.
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Finger_Analyzer(conn); }
 	static bool Available()	{ return finger_request || finger_reply; }
--- a/src/Func.cc
+++ b/src/Func.cc
@ -548,12 +548,14 @@ void builtin_error(const char* msg, BroObj* arg)
 		reporter->Error(msg, arg);
 	}
 #include "analyzer.bif.func_h"
 #include "bro.bif.func_h"
 #include "logging.bif.func_h"
 #include "input.bif.func_h"
 #include "reporter.bif.func_h"
 #include "strings.bif.func_h"
 #include "analyzer.bif.func_def"
 #include "bro.bif.func_def"
 #include "logging.bif.func_def"
 #include "input.bif.func_def"
@ -569,6 +571,7 @@ void init_builtin_funcs()
 	var_sizes = internal_type("var_sizes")->AsTableType();
 	gap_info = internal_type("gap_info")->AsRecordType();
 #include "analyzer.bif.func_init"
 #include "bro.bif.func_init"
 #include "logging.bif.func_init"
 #include "input.bif.func_init"
--- a/src/GTPv1.cc
+++ b/src/GTPv1.cc
@ -1,7 +1,7 @@
 #include "GTPv1.h"
 GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn)
-: Analyzer(AnalyzerTag::GTPv1, conn)
+: Analyzer("GTPV1", conn)
 	{
 	interp = new binpac::GTPv1::GTPv1_Conn(this);
 	}
--- a/src/GTPv1.h
+++ b/src/GTPv1.h
@ -3,7 +3,7 @@
 #include "gtpv1_pac.h"
-class GTPv1_Analyzer : public Analyzer {
+class GTPv1_Analyzer : public analyzer::Analyzer {
 public:
 	GTPv1_Analyzer(Connection* conn);
 	virtual ~GTPv1_Analyzer();
@ -12,7 +12,7 @@ public:
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new GTPv1_Analyzer(conn); }
 	static bool Available()
--- a/src/Gnutella.cc
+++ b/src/Gnutella.cc
@ -30,7 +30,7 @@ GnutellaMsgState::GnutellaMsgState()
 Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer(AnalyzerTag::Gnutella, conn)
+: TCP_ApplicationAnalyzer("GNUTELLA", conn)
 	{
 	state = 0;
 	new_state = 0;
@ -131,13 +131,13 @@ int Gnutella_Analyzer::IsHTTP(string header)
 	if ( HTTP_Analyzer::Available() )
 		{
-		Analyzer* a = new HTTP_Analyzer(Conn());
+		analyzer::Analyzer* a = new HTTP_Analyzer(Conn());
 		Parent()->AddChildAnalyzer(a);
-		if ( Parent()->GetTag() == AnalyzerTag::TCP )
+		if ( Parent()->IsAnalyzer("TCP") )
 			{
 			// Replay buffered data.
-			PIA* pia = static_cast<TransportLayerAnalyzer *>(Parent())->GetPIA();
+			PIA* pia = static_cast<analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
 			if ( pia )
 				static_cast<PIA_TCP *>(pia)->ReplayStreamBuffer(a);
 			}
--- a/src/Gnutella.h
+++ b/src/Gnutella.h
@ -40,7 +40,7 @@ public:
 	virtual void Done ();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Gnutella_Analyzer(conn); }
 	static bool Available()
--- a/src/HTTP-binpac.cc
+++ b/src/HTTP-binpac.cc
@ -2,7 +2,7 @@
 #include "TCP_Reassembler.h"
 HTTP_Analyzer_binpac::HTTP_Analyzer_binpac(Connection *c)
-: TCP_ApplicationAnalyzer(AnalyzerTag::HTTP_BINPAC, c)
+: TCP_ApplicationAnalyzer("HTTP_BINPAC", c)
 	{
 	interp = new binpac::HTTP::HTTP_Conn(this);
 	}
--- a/src/HTTP-binpac.h
+++ b/src/HTTP-binpac.h
@ -15,7 +15,7 @@ public:
 	virtual void Undelivered(int seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new HTTP_Analyzer_binpac(conn); }
 	static bool Available()
--- a/src/HTTP.cc
+++ b/src/HTTP.cc
@ -161,7 +161,7 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF)
 		DeliverBody(len, data, trailing_CRLF);
 	}
-class HTTP_Entity::UncompressedOutput : public Analyzer::OutputHandler {
+class HTTP_Entity::UncompressedOutput : public analyzer::Analyzer::OutputHandler {
 public:
 	UncompressedOutput(HTTP_Entity* e)	{ entity = e; }
 	virtual	~UncompressedOutput() { }
@ -787,7 +787,7 @@ void HTTP_Message::Weird(const char* msg)
 	}
 HTTP_Analyzer::HTTP_Analyzer(Connection* conn)
-	: TCP_ApplicationAnalyzer(AnalyzerTag::HTTP, conn)
+: TCP_ApplicationAnalyzer("HTTP", conn)
 	{
 	num_requests = num_replies = 0;
 	num_request_lines = num_reply_lines = 0;
@ -1736,7 +1736,7 @@ void escape_URI_char(unsigned char ch, unsigned char*& p)
 	}
 BroString* unescape_URI(const u_char* line, const u_char* line_end,
-			Analyzer* analyzer)
+			analyzer::Analyzer* analyzer)
 	{
 	byte_vec decoded_URI = new u_char[line_end - line + 1];
 	byte_vec URI_p = decoded_URI;
--- a/src/HTTP.h
+++ b/src/HTTP.h
@ -174,7 +174,7 @@ public:
 	virtual void ConnectionReset();
 	virtual void PacketWithRST();
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new HTTP_Analyzer(conn); }
 	static bool Available()
@ -252,6 +252,6 @@ extern int is_reserved_URI_char(unsigned char ch);
 extern int is_unreserved_URI_char(unsigned char ch);
 extern void escape_URI_char(unsigned char ch, unsigned char*& p);
 extern BroString* unescape_URI(const u_char* line, const u_char* line_end,
-				Analyzer* analyzer);
+				analyzer::Analyzer* analyzer);
 #endif
--- a/src/ICMP.cc
+++ b/src/ICMP.cc
@ -8,19 +8,12 @@
 #include "NetVar.h"
 #include "Event.h"
 #include "ICMP.h"
 #include "Conn.h"
 #include <netinet/icmp6.h>
 ICMP_Analyzer::ICMP_Analyzer(Connection* c)
-: TransportLayerAnalyzer(AnalyzerTag::ICMP, c)
+: TransportLayerAnalyzer("ICMP", c)
 	{
 	icmp_conn_val = 0;
 	c->SetInactivityTimeout(icmp_inactivity_timeout);
 	request_len = reply_len = -1;
 	}
 ICMP_Analyzer::ICMP_Analyzer(AnalyzerTag::Tag tag, Connection* c)
 : TransportLayerAnalyzer(tag, c)
 	{
 	icmp_conn_val = 0;
 	c->SetInactivityTimeout(icmp_inactivity_timeout);
--- a/src/ICMP.h
+++ b/src/ICMP.h
@ -3,7 +3,8 @@
 #ifndef icmp_h
 #define icmp_h
-#include "Analyzer.h"
+#include "RuleMatcher.h"
 #include "analyzer/Analyzer.h"
 typedef enum {
 	ICMP_INACTIVE,	// no packet seen
@ -12,20 +13,19 @@ typedef enum {
 // We do not have an PIA for ICMP (yet) and therefore derive from
 // RuleMatcherState to perform our own matching.
-class ICMP_Analyzer : public TransportLayerAnalyzer {
+class ICMP_Analyzer : public analyzer::TransportLayerAnalyzer {
 public:
 	ICMP_Analyzer(Connection* conn);
 	virtual void UpdateConnVal(RecordVal *conn_val);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new ICMP_Analyzer(conn); }
 	static bool Available()	{ return true; }
 protected:
-	ICMP_Analyzer()	{ }
+	ICMP_Analyzer(analyzer::Tag tag, Connection* conn);
 	ICMP_Analyzer(AnalyzerTag::Tag tag, Connection* conn);
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
--- a/src/IPAddr.cc
+++ b/src/IPAddr.cc
@ -5,9 +5,10 @@
 #include "IPAddr.h"
 #include "Reporter.h"
 #include "Conn.h"
 #include "DPM.h"
 #include "bro_inet_ntop.h"
 #include "analyzer/Manager.h"
 const uint8_t IPAddr::v4_mapped_prefix[12] = { 0, 0, 0, 0,
                                               0, 0, 0, 0,
                                               0, 0, 0xff, 0xff };
@ -44,7 +45,7 @@ HashKey* BuildConnIDHashKey(const ConnID& id)
 	return new HashKey(&key, sizeof(key));
 	}
-HashKey* BuildExpectedConnHashKey(const ExpectedConn& c)
+HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c)
 	{
 	struct {
 		in6_addr orig;
--- a/src/IPAddr.h
+++ b/src/IPAddr.h
@ -14,7 +14,7 @@
 #include "threading/SerialTypes.h"
 struct ConnID;
-class ExpectedConn;
+namespace analyzer { class ExpectedConn; }
 typedef in_addr in4_addr;
@ -363,7 +363,7 @@ public:
 	void ConvertToThreadingValue(threading::Value::addr_t* v) const;
 	friend HashKey* BuildConnIDHashKey(const ConnID& id);
-	friend HashKey* BuildExpectedConnHashKey(const ExpectedConn& c);
+	friend HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c);
 	unsigned int MemoryAllocation() const { return padded_sizeof(*this); }
@ -455,7 +455,7 @@ HashKey* BuildConnIDHashKey(const ConnID& id);
 /**
  * Returns a hash key for a given ExpectedConn instance. Passes ownership to caller.
  */
-HashKey* BuildExpectedConnHashKey(const ExpectedConn& c);
+HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c);
 /**
 * Class storing both IPv4 and IPv6 prefixes
--- a/src/IRC.cc
+++ b/src/IRC.cc
@ -2,15 +2,15 @@
 #include <iostream>
 #include "IRC.h"
 #include "DPM.h"
 #include "ContentLine.h"
 #include "NetVar.h"
 #include "Event.h"
 #include "ZIP.h"
 #include "analyzer/Manager.h"
 IRC_Analyzer::IRC_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer(AnalyzerTag::IRC, conn)
+: TCP_ApplicationAnalyzer("IRC", conn)
 	{
 	invalid_msg_count = 0;
 	invalid_msg_max_count = 20;
--- a/src/IRC.h
+++ b/src/IRC.h
@ -30,7 +30,7 @@ public:
 	*/
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{
 		return new IRC_Analyzer(conn);
 		}
--- a/src/Ident.cc
+++ b/src/Ident.cc
@ -9,7 +9,7 @@
 #include "Event.h"
 Ident_Analyzer::Ident_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer(AnalyzerTag::Ident, conn)
+: TCP_ApplicationAnalyzer("IDENT", conn)
 	{
 	did_bad_reply = did_deliver = 0;
--- a/src/Ident.h
+++ b/src/Ident.h
@ -13,7 +13,7 @@ public:
 	virtual void DeliverStream(int length, const u_char* data, bool is_orig);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Ident_Analyzer(conn); }
 	static bool Available()
--- a/src/InterConn.cc
+++ b/src/InterConn.cc
@ -153,7 +153,7 @@ int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const
 	}
 InterConn_Analyzer::InterConn_Analyzer(Connection* c)
-: TCP_ApplicationAnalyzer(AnalyzerTag::InterConn, c)
+: TCP_ApplicationAnalyzer("INTERCONN", c)
 	{
 	orig_endp = resp_endp = 0;
 	orig_stream_pos = resp_stream_pos = 1;
--- a/src/InterConn.h
+++ b/src/InterConn.h
@ -47,7 +47,7 @@ public:
 	virtual void Done();
 	void StatTimer(double t, int is_expire);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new InterConn_Analyzer(conn); }
 	static bool Available()	{ return interconn_stats; }
--- a/src/Login.cc
+++ b/src/Login.cc
@ -20,8 +20,8 @@ static RE_Matcher* re_login_timeouts;
 static RE_Matcher* init_RE(ListVal* l);
-Login_Analyzer::Login_Analyzer(AnalyzerTag::Tag tag, Connection* conn)
+Login_Analyzer::Login_Analyzer(const char* name, Connection* conn)
-: TCP_ApplicationAnalyzer(tag, conn)
+: TCP_ApplicationAnalyzer(name, conn)
 	{
 	state = LOGIN_STATE_AUTHENTICATE;
 	num_user_lines_seen = lines_scanned = 0;
--- a/src/Login.h
+++ b/src/Login.h
@ -21,7 +21,7 @@ typedef enum {
 class Login_Analyzer : public TCP_ApplicationAnalyzer {
 public:
-	Login_Analyzer(AnalyzerTag::Tag tag, Connection* conn);
+	Login_Analyzer(const char* name, Connection* conn);
 	~Login_Analyzer();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
--- a/src/MIME.cc
+++ b/src/MIME.cc
@ -966,7 +966,7 @@ TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist)
 	return t;
 	}
-MIME_Mail::MIME_Mail(Analyzer* mail_analyzer, int buf_size)
+MIME_Mail::MIME_Mail(analyzer::Analyzer* mail_analyzer, int buf_size)
 : MIME_Message(mail_analyzer)
 	{
 	analyzer = mail_analyzer;
--- a/src/MIME.h
+++ b/src/MIME.h
@ -10,7 +10,7 @@ using namespace std;
 #include "Base64.h"
 #include "BroString.h"
-#include "Analyzer.h"
+#include "analyzer/Analyzer.h"
 // MIME: Multipurpose Internet Mail Extensions
 // Follows RFC 822 & 2822 (Internet Mail), 2045-2049 (MIME)
@ -178,7 +178,7 @@ protected:
 class MIME_Message {
 public:
-	MIME_Message(Analyzer* arg_analyzer)
+	MIME_Message(analyzer::Analyzer* arg_analyzer)
 		{
 		// Cannot initialize top_level entity because we do
 		// not know its type yet (MIME_Entity / MIME_Mail /
@ -203,7 +203,7 @@ public:
 		top_level->Deliver(len, data, trailing_CRLF);
 		}
-	Analyzer* GetAnalyzer() const	{ return analyzer; }
+	analyzer::Analyzer* GetAnalyzer() const	{ return analyzer; }
 	// Events generated by MIME_Entity
 	virtual void BeginEntity(MIME_Entity*) = 0;
@ -215,7 +215,7 @@ public:
 	virtual void SubmitEvent(int event_type, const char* detail) = 0;
 protected:
-	Analyzer* analyzer;
+	analyzer::Analyzer* analyzer;
 	MIME_Entity* top_level;
 	int finished;
@ -226,7 +226,7 @@ protected:
 class MIME_Mail : public MIME_Message {
 public:
-	MIME_Mail(Analyzer* mail_conn, int buf_size = 0);
+	MIME_Mail(analyzer::Analyzer* mail_conn, int buf_size = 0);
 	~MIME_Mail();
 	void Done();
--- a/src/Modbus.cc
+++ b/src/Modbus.cc
@ -3,7 +3,7 @@
 #include "TCP_Reassembler.h"
 ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c)
-	: TCP_ApplicationAnalyzer(AnalyzerTag::Modbus, c)
+	: TCP_ApplicationAnalyzer("MODBUS", c)
 	{
 	interp = new binpac::ModbusTCP::ModbusTCP_Conn(this);
 	}
--- a/src/Modbus.h
+++ b/src/Modbus.h
@ -15,7 +15,7 @@ public:
 	virtual void Undelivered(int seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new ModbusTCP_Analyzer(conn); }
 	// Put event names in this function
--- a/src/NCP.cc
+++ b/src/NCP.cc
@ -17,7 +17,7 @@ using namespace std;
 	 uint16(xbyte(bytes, 0)) | ((uint16(xbyte(bytes, 1))) << 8) : \
 	 uint16(xbyte(bytes, 1)) | ((uint16(xbyte(bytes, 0))) << 8))
-NCP_Session::NCP_Session(Analyzer* a)
+NCP_Session::NCP_Session(analyzer::Analyzer* a)
 : analyzer(a)
 	{
 	req_frame_type = 0;
@ -150,7 +150,7 @@ void NCP_FrameBuffer::compute_msg_length()
 	}
 Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* arg_session)
-: TCP_SupportAnalyzer(AnalyzerTag::Contents_NCP, conn, orig)
+: TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig)
 	{
 	session = arg_session;
 	resync = true;
@ -215,7 +215,7 @@ void Contents_NCP_Analyzer::Undelivered(int seq, int len, bool orig)
 	}
 NCP_Analyzer::NCP_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer(AnalyzerTag::NCP, conn)
+: TCP_ApplicationAnalyzer("NCP", conn)
 	{
 	session = new NCP_Session(this);
 	o_ncp = new Contents_NCP_Analyzer(conn, true, session);
--- a/src/NCP.h
+++ b/src/NCP.h
@ -29,7 +29,7 @@
 class NCP_Session {
 public:
-	NCP_Session(Analyzer* analyzer);
+	NCP_Session(analyzer::Analyzer* analyzer);
 	virtual ~NCP_Session() {}
 	virtual void Deliver(int is_orig, int len, const u_char* data);
@ -42,7 +42,7 @@ public:
 protected:
 	void DeliverFrame(const binpac::NCP::ncp_frame* frame);
-	Analyzer* analyzer;
+	analyzer::Analyzer* analyzer;
 	int req_frame_type;
 	int req_func;
 };
@ -102,7 +102,7 @@ public:
 	NCP_Analyzer(Connection* conn);
 	virtual ~NCP_Analyzer();
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new NCP_Analyzer(conn); }
 	static bool Available()	{ return NCP_Session::any_ncp_event(); }
--- a/src/NFS.cc
+++ b/src/NFS.cc
@ -641,7 +641,7 @@ Val* NFS_Interp::ExtractBool(const u_char*& buf, int& n)
 NFS_Analyzer::NFS_Analyzer(Connection* conn)
-	: RPC_Analyzer(AnalyzerTag::NFS, conn, new NFS_Interp(this))
+	: RPC_Analyzer("RPC", conn, new NFS_Interp(this))
 	{
 	orig_rpc = resp_rpc = 0;
 	}
--- a/src/NFS.h
+++ b/src/NFS.h
@ -9,7 +9,7 @@
 class NFS_Interp : public RPC_Interpreter {
 public:
-	NFS_Interp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
+	NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
 protected:
 	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
@ -75,7 +75,7 @@ public:
 	NFS_Analyzer(Connection* conn);
 	virtual void Init();
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new NFS_Analyzer(conn); }
 	static bool Available()
--- a/src/NTP.cc
+++ b/src/NTP.cc
@ -9,7 +9,7 @@
 NTP_Analyzer::NTP_Analyzer(Connection* conn)
-	: Analyzer(AnalyzerTag::NTP, conn)
+	: Analyzer("NTP", conn)
 	{
 	ADD_ANALYZER_TIMER(&NTP_Analyzer::ExpireTimer,
 				network_time + ntp_session_timeout, 1,
--- a/src/NTP.h
+++ b/src/NTP.h
@ -35,11 +35,11 @@ struct ntpdata {
 	struct l_fixedpt xmt;
 };
-class NTP_Analyzer : public Analyzer {
+class NTP_Analyzer : public analyzer::Analyzer {
 public:
 	NTP_Analyzer(Connection* conn);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new NTP_Analyzer(conn); }
 	static bool Available()	{ return ntp_message; }
--- a/src/NVT.cc
+++ b/src/NVT.cc
@ -360,7 +360,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */)
 NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig)
-: ContentLine_Analyzer(AnalyzerTag::NVT, conn, orig)
+: ContentLine_Analyzer("NVT", conn, orig)
 	{
 	peer = 0;
 	is_suboption = last_was_IAC = pending_IAC = 0;
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@ -208,7 +208,6 @@ TableType* irc_join_list;
 RecordType* irc_join_info;
 TableVal* irc_servers;
 TableVal* dpd_config;
 int dpd_reassemble_first_packets;
 int dpd_buffer_size;
 int dpd_match_only_beginning;
@ -239,6 +238,7 @@ TableType* record_field_table;
 StringVal* cmd_line_bpf_filter;
 #include "analyzer.bif.netvar_def"
 #include "const.bif.netvar_def"
 #include "types.bif.netvar_def"
 #include "event.bif.netvar_def"
@ -512,7 +512,6 @@ void init_net_var()
 		opt_internal_double("remote_trace_sync_interval");
 	remote_trace_sync_peers = opt_internal_int("remote_trace_sync_peers");
 	dpd_config = internal_val("dpd_config")->AsTableVal();
 	dpd_reassemble_first_packets =
 		opt_internal_int("dpd_reassemble_first_packets");
 	dpd_buffer_size = opt_internal_int("dpd_buffer_size");
--- a/src/NetVar.h
+++ b/src/NetVar.h
@ -212,7 +212,6 @@ extern TableType* irc_join_list;
 extern RecordType* irc_join_info;
 extern TableVal* irc_servers;
 extern TableVal* dpd_config;
 extern int dpd_reassemble_first_packets;
 extern int dpd_buffer_size;
 extern int dpd_match_only_beginning;
@ -249,6 +248,7 @@ extern void init_general_global_var();
 extern void init_event_handlers();
 extern void init_net_var();
 #include "analyzer.bif.netvar_h"
 #include "const.bif.netvar_h"
 #include "types.bif.netvar_h"
 #include "event.bif.netvar_h"
--- a/src/NetbiosSSN.cc
+++ b/src/NetbiosSSN.cc
@ -43,7 +43,7 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len)
 	}
-NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(Analyzer* arg_analyzer,
+NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(analyzer::Analyzer* arg_analyzer,
 						SMB_Session* arg_smb_session)
 	{
 	analyzer = arg_analyzer;
@ -340,7 +340,7 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
 Contents_NetbiosSSN::Contents_NetbiosSSN(Connection* conn, bool orig,
 					NetbiosSSN_Interpreter* arg_interp)
-: TCP_SupportAnalyzer(AnalyzerTag::Contents_NetbiosSSN, conn, orig)
+: TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig)
 	{
 	interp = arg_interp;
 	type = flags = msg_size = 0;
@ -455,7 +455,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
 	}
 NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer(AnalyzerTag::NetbiosSSN, conn)
+: TCP_ApplicationAnalyzer("NETBIOS", conn)
 	{
 	smb_session = new SMB_Session(this);
 	interp = new NetbiosSSN_Interpreter(this, smb_session);
--- a/src/NetbiosSSN.h
+++ b/src/NetbiosSSN.h
@ -62,7 +62,7 @@ struct NetbiosDGM_RawMsgHdr {
 class NetbiosSSN_Interpreter {
 public:
-	NetbiosSSN_Interpreter(Analyzer* analyzer, SMB_Session* smb_session);
+	NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer, SMB_Session* smb_session);
 	int ParseMessage(unsigned int type, unsigned int flags,
 			const u_char* data, int len, int is_query);
@ -108,7 +108,7 @@ protected:
 			u_char*& xname, int& xlen);
 protected:
-	Analyzer* analyzer;
+	analyzer::Analyzer* analyzer;
 	SMB_Session* smb_session;
 };
@ -157,7 +157,7 @@ public:
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new NetbiosSSN_Analyzer(conn); }
 	static bool Available()
--- a/src/PIA.cc
+++ b/src/PIA.cc
@ -2,7 +2,7 @@
 #include "RuleMatcher.h"
 #include "TCP_Reassembler.h"
-PIA::PIA(Analyzer* arg_as_analyzer)
+PIA::PIA(analyzer::Analyzer* arg_as_analyzer)
 	{
 	current_packet.data = 0;
 	as_analyzer = arg_as_analyzer;
@ -61,7 +61,7 @@ void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig)
 	AddToBuffer(buffer, -1, len, data, is_orig);
 	}
-void PIA::ReplayPacketBuffer(Analyzer* analyzer)
+void PIA::ReplayPacketBuffer(analyzer::Analyzer* analyzer)
 	{
 	DBG_LOG(DBG_DPD, "PIA replaying %d total packet bytes", pkt_buffer.size);
@ -129,7 +129,7 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
 				bol, eol, clear_state);
 	}
-void PIA_UDP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
+void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
 	{
 	if ( pkt_buffer.state == MATCHING_ONLY )
 		{
@ -142,14 +142,14 @@ void PIA_UDP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
 	if ( Parent()->HasChildAnalyzer(tag) )
 		return;
-	Analyzer* a = Parent()->AddChildAnalyzer(tag);
+	analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
 	a->SetSignature(rule);
 	if ( a )
 		ReplayPacketBuffer(a);
 	}
-void PIA_UDP::DeactivateAnalyzer(AnalyzerTag::Tag tag)
+void PIA_UDP::DeactivateAnalyzer(analyzer::Tag tag)
 	{
 	reporter->InternalError("PIA_UDP::Deact not implemented yet");
 	}
@ -165,7 +165,7 @@ void PIA_TCP::Init()
 	{
 	TCP_ApplicationAnalyzer::Init();
-	if ( Parent()->GetTag() == AnalyzerTag::TCP )
+	if ( Parent()->IsAnalyzer("TCP") )
 		{
 		TCP_Analyzer* tcp = static_cast<TCP_Analyzer*>(Parent());
 		SetTCP(tcp);
@ -262,7 +262,7 @@ void PIA_TCP::Undelivered(int seq, int len, bool is_orig)
 	// No check for buffer overrun here. I think that's ok.
 	}
-void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
+void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
 	{
 	if ( stream_buffer.state == MATCHING_ONLY )
 		{
@ -275,7 +275,7 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
 	if ( Parent()->HasChildAnalyzer(tag) )
 		return;
-	Analyzer* a = Parent()->AddChildAnalyzer(tag);
+	analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
 	a->SetSignature(rule);
 	// We have two cases here:
@ -305,13 +305,13 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
 	//   (4) We hand the two reassemblers to the TCP Analyzer (our parent),
 	//       turning reassembly now on for all subsequent data.
-	DBG_LOG(DBG_DPD, "DPM_TCP switching from packet-mode to stream-mode");
+	DBG_LOG(DBG_DPD, "PIA_TCP switching from packet-mode to stream-mode");
 	stream_mode = true;
 	// FIXME: The reassembler will query the endpoint for state. Not sure
 	// if this is works in all cases...
-	if ( Parent()->GetTag() != AnalyzerTag::TCP )
+	if ( ! Parent()->IsAnalyzer("TCP") )
 		{
 		// Our parent is not the TCP analyzer, which can only mean
 		// we have been inserted somewhere further down in the
@ -371,12 +371,12 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
 	tcp->SetReassembler(reass_orig, reass_resp);
 	}
-void PIA_TCP::DeactivateAnalyzer(AnalyzerTag::Tag tag)
+void PIA_TCP::DeactivateAnalyzer(analyzer::Tag tag)
 	{
 	reporter->InternalError("PIA_TCP::Deact not implemented yet");
 	}
-void PIA_TCP::ReplayStreamBuffer(Analyzer* analyzer)
+void PIA_TCP::ReplayStreamBuffer(analyzer::Analyzer* analyzer)
 	{
 	DBG_LOG(DBG_DPD, "PIA_TCP replaying %d total stream bytes", stream_buffer.size);
--- a/src/PIA.h
+++ b/src/PIA.h
@ -3,7 +3,7 @@
 #ifndef PIA_H
 #define PIA_H
-#include "Analyzer.h"
+#include "analyzer/Analyzer.h"
 #include "TCP.h"
 class RuleEndpointState;
@ -17,25 +17,25 @@ class RuleEndpointState;
 // PIAs and then each needs its own matching-state.
 class PIA : public RuleMatcherState {
 public:
-	PIA(Analyzer* as_analyzer);
+	PIA(analyzer::Analyzer* as_analyzer);
 	virtual ~PIA();
 	// Called when PIA wants to put an Analyzer in charge.  rule is the
 	// signature that triggered the activitation, if any.
-	virtual void ActivateAnalyzer(AnalyzerTag::Tag tag,
+	virtual void ActivateAnalyzer(analyzer::Tag tag,
 					const Rule* rule = 0) = 0;
 	// Called when PIA wants to remove an Analyzer.
-	virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag) = 0;
+	virtual void DeactivateAnalyzer(analyzer::Tag tag) = 0;
 	void Match(Rule::PatternType type, const u_char* data, int len,
 			bool is_orig, bool bol, bool eol, bool clear_state);
-	void ReplayPacketBuffer(Analyzer* analyzer);
+	void ReplayPacketBuffer(analyzer::Analyzer* analyzer);
 	// Children are also derived from Analyzer. Return this object
 	// as pointer to an Analyzer.
-	Analyzer* AsAnalyzer()	{ return as_analyzer; }
+	analyzer::Analyzer* AsAnalyzer()	{ return as_analyzer; }
 	static bool Available()	{ return true; }
@ -81,20 +81,20 @@ protected:
 	Buffer pkt_buffer;
 private:
-	Analyzer* as_analyzer;
+	analyzer::Analyzer* as_analyzer;
 	Connection* conn;
 	DataBlock current_packet;
 };
 // PIA for UDP.
-class PIA_UDP : public PIA, public Analyzer {
+class PIA_UDP : public PIA, public analyzer::Analyzer {
 public:
 	PIA_UDP(Connection* conn)
-	: PIA(this), Analyzer(AnalyzerTag::PIA_UDP, conn)
+	: PIA(this), Analyzer("PIA_UDP", conn)
 		{ SetConn(conn); }
 	virtual ~PIA_UDP()	{ }
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new PIA_UDP(conn); }
 protected:
@ -111,8 +111,8 @@ protected:
 		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen);
 		}
-	virtual void ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule);
+	virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule);
-	virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag);
+	virtual void DeactivateAnalyzer(analyzer::Tag tag);
 };
 // PIA for TCP.  Accepts both packet and stream input (and reassembles
@ -120,7 +120,7 @@ protected:
 class PIA_TCP : public PIA, public TCP_ApplicationAnalyzer {
 public:
 	PIA_TCP(Connection* conn)
-	: PIA(this), TCP_ApplicationAnalyzer(AnalyzerTag::PIA_TCP, conn)
+		: PIA(this), TCP_ApplicationAnalyzer("PIA_TCP", conn)
 		{ stream_mode = false; SetConn(conn); }
 	virtual ~PIA_TCP();
@ -137,9 +137,9 @@ public:
 	// to be unnecessary overhead.)
 	void FirstPacket(bool is_orig, const IP_Hdr* ip);
-	void ReplayStreamBuffer(Analyzer* analyzer);
+	void ReplayStreamBuffer(analyzer::Analyzer* analyzer);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new PIA_TCP(conn); }
 protected:
@ -159,9 +159,9 @@ protected:
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
 	virtual void Undelivered(int seq, int len, bool is_orig);
-	virtual void ActivateAnalyzer(AnalyzerTag::Tag tag,
+	virtual void ActivateAnalyzer(analyzer::Tag tag,
 					const Rule* rule = 0);
-	virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag);
+	virtual void DeactivateAnalyzer(analyzer::Tag tag);
 private:
 	// FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer.
--- a/src/POP3.cc
+++ b/src/POP3.cc
@ -26,7 +26,7 @@ static const char* pop3_cmd_word[] = {
 POP3_Analyzer::POP3_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer(AnalyzerTag::POP3, conn)
+: TCP_ApplicationAnalyzer("POP3", conn)
 	{
 	masterState = POP3_START;
 	subState = POP3_WOK;
--- a/src/POP3.h
+++ b/src/POP3.h
@ -68,7 +68,7 @@ public:
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{
 		return new POP3_Analyzer(conn);
 		}
--- a/src/Portmap.cc
+++ b/src/Portmap.cc
@ -300,7 +300,7 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu
 	}
 Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)
-: RPC_Analyzer(AnalyzerTag::Portmapper, conn, new PortmapperInterp(this))
+: RPC_Analyzer("PORTMAPPER", conn, new PortmapperInterp(this))
 	{
 	orig_rpc = resp_rpc = 0;
 	}
--- a/src/Portmap.h
+++ b/src/Portmap.h
@ -7,7 +7,7 @@
 class PortmapperInterp : public RPC_Interpreter {
 public:
-	PortmapperInterp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
+	PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
 protected:
 	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
@ -29,7 +29,7 @@ public:
 	virtual ~Portmapper_Analyzer();
 	virtual void Init();
-	static Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Portmapper_Analyzer(conn); }
 	static bool Available()
--- a/Show more
+++ b/Show more