Merge remote-tracking branch 'origin/master' into topic/icmp6

Conflicts: scripts/base/init-bare.bro src/Sessions.cc
2025-10-14 12:38:20 +00:00 · 2012-03-26 17:07:32 -05:00 · 2012-03-26 17:07:32 -05:00 · bae6a4178e
commit bae6a4178e
parent cea52fbccb d889f14638
52 changed files with 1759 additions and 440 deletions
--- a/46
+++ b/46
@ -1,4 +1,50 @@
 2.0-179 | 2012-03-23 17:43:31 -0700
  * Remove the default "tcp or udp or icmp" filter. In default mode,
    Bro would load the packet filter script framework which installs a
    filter that allows all packets, but in bare mode (the -b option),
    this old filter would not follow IPv6 protocol chains and thus
    filter out packets with extension headers. (Jon Siwek)
  * Update PacketFilter/Discarder code for IP version independence.
    (Jon Siwek)
  * Fix some IPv6 header related bugs. (Jon Siwek)
  * Add IPv6 fragment reassembly. (Jon Siwek)
  * Add handling for IPv6 extension header chains. Addresses #531.
    (Jon Siwek)
    - The script-layer 'pkt_hdr' type is extended with a new 'ip6' field
      representing the full IPv6 header chain.
    - The 'new_packet' event is now raised for IPv6 packets. Addresses
      #523.
    - A new event called 'ipv6_ext_header' is raised for any IPv6
      packet containing extension headers.
    - A new event called 'esp_packet' is raised for any packets using
      ESP ('new_packet' and 'ipv6_ext_header' events provide
      connection info, but that info can't be provided here since the
      upper-layer payload is encrypted).
    - The 'unknown_protocol' weird is now raised more reliably when
      Bro sees a transport protocol or IPv6 extension header it can't
      handle. Addresses #522.
  * Add unit tests for IPv6 fragment reassembly, ipv6_ext_headers and
    esp_packet events. (Jon Siwek)
  * Adapt FreeBSD's inet_ntop implementation for internal use. Now we
    get consistent text representations of IPv6 addresses across
    platforms. (Jon Siwek)
  * Update documentation for new syntax of IPv6 literals. (Jon Siwek)
 2.0-150 | 2012-03-13 16:16:22 -0700
  * Changing the regular expression to allow Site::local_nets in
--- a/2
+++ b/2
@ -1 +1 @@
-2.0-150
+2.0-179
--- a/aux/binpac
+++ b/aux/binpac
@ -1 +1 @@
-Subproject commit 3034da8f082b61157e234237993ffd7a95be6e62
+Subproject commit dd1a3a95f07082efcd5274b21104a038d523d132
--- a/aux/bro-aux
+++ b/aux/bro-aux
@ -1 +1 @@
-Subproject commit f53bcb2b492cb0db3dd288384040abc2ab711767
+Subproject commit a59b35bdada8f70fb1a59bf7bb2976534c86d378
--- a/aux/broccoli
+++ b/aux/broccoli
@ -1 +1 @@
-Subproject commit a08ca90727c5c4b90aa8633106ec33a5cf7378d4
+Subproject commit a4046c2f79b6ab0ac19ae8be94b79c6ce578bea7
--- a/aux/broctl
+++ b/aux/broctl
@ -1 +1 @@
-Subproject commit 954538514d71983e7ef3f0e109960466096e1c1d
+Subproject commit 66e9e87beebce983fa0f479b0284d5690b0290d4
--- a/aux/btest
+++ b/aux/btest
@ -1 +1 @@
-Subproject commit dd0e5953da08125fa4a772cf9f27e291a8fb868f
+Subproject commit dc78a3ebf5cd8fbd1b3034990e36fa21a51d1a19
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 2cc105577044a2d214124568f3f2496ed2ccbb34
+Subproject commit 550ab2c8d95b1d3e18e40a903152650e6c7a3c45
--- a/doc/scripts/builtins.rst
+++ b/doc/scripts/builtins.rst
@ -162,7 +162,11 @@ The Bro scripting language supports the following built-in types.
    ``A1.A2.A3.A4``, where Ai all lie between 0 and 255.
    IPv6 address constants are written as colon-separated hexadecimal form
-    as described by :rfc:`2373`.
+    as described by :rfc:`2373`, but additionally encased in square brackets.
    The mixed notation with embedded IPv4 addresses as dotted-quads in the
    lower 32 bits is also allowed.
    Some examples: ``[2001:db8::1]``, ``[::ffff:192.168.1.100]``, or
    ``[aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222]``.
    Hostname constants can also be used, but since a hostname can
    correspond to multiple IP addresses, the type of such variable is a
@ -196,7 +200,7 @@ The Bro scripting language supports the following built-in types.
    A type representing a block of IP addresses in CIDR notation.  A
    ``subnet`` constant is written as an :bro:type:`addr` followed by a
    slash (/) and then the network prefix size specified as a decimal
-    number.  For example, ``192.168.0.0/16``.
+    number.  For example, ``192.168.0.0/16`` or ``[fe80::]/64``.
 .. bro:type:: any
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -305,10 +305,10 @@ type gap_info: record {
 	gap_bytes: count;	##< How many bytes were missing in the gaps.
 };
-## Deprecated. 
+## Deprecated.
-## 
+##
 ## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
-##    else.  
+##    else.
 type packet: record {
 	conn: connection;
 	is_orig: bool;
@ -941,13 +941,163 @@ const IPPROTO_IGMP = 2;			##< Group management protocol.
 const IPPROTO_IPIP = 4;			##< IP encapsulation in IP.
 const IPPROTO_TCP = 6;			##< TCP.
 const IPPROTO_UDP = 17;			##< User datagram protocol.
 const IPPROTO_IPV6 = 41;		##< IPv6 header.
 const IPPROTO_ICMPV6 = 58;		##< ICMP for IPv6.
 const IPPROTO_RAW = 255;		##< Raw IP packet.
-## Values extracted from an IP header.
+# Definitions for IPv6 extension headers.
 const IPPROTO_HOPOPTS = 0;		##< IPv6 hop-by-hop-options header.
 const IPPROTO_ROUTING = 43;		##< IPv6 routing header.
 const IPPROTO_FRAGMENT = 44;		##< IPv6 fragment header.
 const IPPROTO_ESP = 50;			##< IPv6 encapsulating security payload header.
 const IPPROTO_AH = 51;			##< IPv6 authentication header.
 const IPPROTO_NONE = 59;		##< IPv6 no next header.
 const IPPROTO_DSTOPTS = 60;		##< IPv6 destination options header.
 ## Values extracted from an IPv6 extension header's (e.g. hop-by-hop or
 ## destination option headers) option field.
 ##
-## .. bro:see:: pkt_hdr discarder_check_ip
+## .. bro:see:: ip6_hdr ip6_hdr_chain ip6_hopopts ip6_dstopts
-type ip_hdr: record {
+type ip6_option: record {
 	otype: count;	##< Option type.
 	len: count;		##< Option data length.
 	data: string;	##< Option data.
 };
 ## Values extracted from an IPv6 Hop-by-Hop options extension header.
 ##
 ## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain ip6_option
 type ip6_hopopts: record {
 	## Protocol number of the next header (RFC 1700 et seq., IANA assigned
 	## number), e.g. :bro:id:`IPPROTO_ICMP`.
 	nxt: count;
 	## Length of header in 8-octet units, excluding first unit.
 	len: count;
 	## The TLV encoded options;
 	options: vector of ip6_option;
 };
 ## Values extracted from an IPv6 Destination options extension header.
 ##
 ## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain ip6_option
 type ip6_dstopts: record {
 	## Protocol number of the next header (RFC 1700 et seq., IANA assigned
 	## number), e.g. :bro:id:`IPPROTO_ICMP`.
 	nxt: count;
 	## Length of header in 8-octet units, excluding first unit.
 	len: count;
 	## The TLV encoded options;
 	options: vector of ip6_option;
 };
 ## Values extracted from an IPv6 Routing extension header.
 ##
 ## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain
 type ip6_routing: record {
 	## Protocol number of the next header (RFC 1700 et seq., IANA assigned
 	## number), e.g. :bro:id:`IPPROTO_ICMP`.
 	nxt: count;
 	## Length of header in 8-octet units, excluding first unit.
 	len: count;
 	## Routing type.
 	rtype: count;
 	## Segments left.
 	segleft: count;
 	## Type-specific data.
 	data: string;
 };
 ## Values extracted from an IPv6 Fragment extension header.
 ##
 ## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain
 type ip6_fragment: record {
 	## Protocol number of the next header (RFC 1700 et seq., IANA assigned
 	## number), e.g. :bro:id:`IPPROTO_ICMP`.
 	nxt: count;
 	## 8-bit reserved field.
 	rsv1: count;
 	## Fragmentation offset.
 	offset: count;
 	## 2-bit reserved field.
 	rsv2: count;
 	## More fragments.
 	more: bool;
 	## Fragment identification.
 	id: count;
 };
 ## Values extracted from an IPv6 Authentication extension header.
 ##
 ## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain
 type ip6_ah: record {
 	## Protocol number of the next header (RFC 1700 et seq., IANA assigned
 	## number), e.g. :bro:id:`IPPROTO_ICMP`.
 	nxt: count;
 	## Length of header in 4-octet units, excluding first two units.
 	len: count;
 	## Reserved field.
 	rsv: count;
 	## Security Parameter Index.
 	spi: count;
 	## Sequence number.
 	seq: count;
 	## Authentication data.
 	data: string;
 };
 ## Values extracted from an IPv6 ESP extension header.
 ##
 ## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_hdr_chain
 type ip6_esp: record {
 	## Security Parameters Index.
 	spi: count;
 	## Sequence number.
 	seq: count;
 };
 ## A general container for a more specific IPv6 extension header.
 ##
 ## .. bro:see:: pkt_hdr ip4_hdr ip6_hopopts ip6_dstopts ip6_routing ip6_fragment
 ##    ip6_ah ip6_esp
 type ip6_ext_hdr: record {
 	## The RFC 1700 et seq. IANA assigned number identifying the type of
 	## the extension header.
 	id: count;
 	## Hop-by-hop option extension header.
 	hopopts: ip6_hopopts &optional;
 	## Destination option extension header.
 	dstopts: ip6_dstopts &optional;
 	## Routing extension header.
 	routing: ip6_routing &optional;
 	## Fragment header.
 	fragment: ip6_fragment &optional;
 	## Authentication extension header.
 	ah: ip6_ah &optional;
 	## Encapsulating security payload header.
 	esp: ip6_esp &optional;
 };
 ## Values extracted from an IPv6 header.
 ##
 ## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr_chain ip6_hopopts ip6_dstopts
 ##    ip6_routing ip6_fragment ip6_ah ip6_esp
 type ip6_hdr: record {
 	class: count;					##< Traffic class.
 	flow: count;					##< Flow label.
 	len: count;					##< Payload length.
 	nxt: count;					##< Protocol number of the next header
 								##< (RFC 1700 et seq., IANA assigned number)
 								##< e.g. :bro:id:`IPPROTO_ICMP`.
 	hlim: count;					##< Hop limit.
 	src: addr;					##< Source address.
 	dst: addr;					##< Destination address.
 	exts: vector of ip6_ext_hdr;			##< Extension header chain.
 };
 ## Values extracted from an IPv4 header.
 ##
 ## .. bro:see:: pkt_hdr ip6_hdr discarder_check_ip
 type ip4_hdr: record {
 	hl: count;		##< Header length in bytes.
 	tos: count;		##< Type of service.
 	len: count;		##< Total length.
@ -1003,10 +1153,11 @@ type icmp_hdr: record {
 ##
 ## .. bro:see:: new_packet
 type pkt_hdr: record {
-	ip: ip_hdr;	##< The IP header.
+	ip: ip4_hdr &optional;			##< The IPv4 header if an IPv4 packet.
-	tcp: tcp_hdr &optional;	##< The TCP header if a TCP packet.
+	ip6: ip6_hdr &optional;			##< The IPv6 header if an IPv6 packet.
-	udp: udp_hdr &optional;	##< The UDP header if a UDP packet.
+	tcp: tcp_hdr &optional;			##< The TCP header if a TCP packet.
-	icmp: icmp_hdr &optional;	##< The ICMP header if an ICMP packet.
+	udp: udp_hdr &optional;			##< The UDP header if a UDP packet.
 	icmp: icmp_hdr &optional;		##< The ICMP header if an ICMP packet.
 };
 ## Definition of "secondary filters". A secondary filter is a BPF filter given as
@ -1026,7 +1177,7 @@ global discarder_maxlen = 128 &redef;
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
-## i: The IP header of the considered packet.
+## p: The IP header of the considered packet.
 ##
 ## Returns: True if the packet should not be analyzed any further.
 ##
@ -1035,15 +1186,15 @@ global discarder_maxlen = 128 &redef;
 ##
 ## .. note:: This is very low-level functionality and potentially expensive.
 ##    Avoid using it.
-global discarder_check_ip: function(i: ip_hdr): bool;
+global discarder_check_ip: function(p: pkt_hdr): bool;
 ## Function for skipping packets based on their TCP header. If defined, this
 ## function will be called for all TCP packets before Bro performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
-## i: The IP header of the considered packet.
+## p: The IP and TCP headers of the considered packet.
-## t: The TCP header.
+##
 ## d: Up to :bro:see:`discarder_maxlen` bytes of the TCP payload.
 ##
 ## Returns: True if the packet should not be analyzed any further.
@ -1053,15 +1204,15 @@ global discarder_check_ip: function(i: ip_hdr): bool;
 ##
 ## .. note:: This is very low-level functionality and potentially expensive.
 ##    Avoid using it.
-global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
+global discarder_check_tcp: function(p: pkt_hdr, d: string): bool;
 ## Function for skipping packets based on their UDP header. If defined, this
 ## function will be called for all UDP packets before Bro performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
-## i: The IP header of the considered packet.
+## p: The IP and UDP headers of the considered packet.
-## t: The UDP header.
+##
 ## d: Up to :bro:see:`discarder_maxlen` bytes of the UDP payload.
 ##
 ## Returns: True if the packet should not be analyzed any further.
@ -1071,15 +1222,14 @@ global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
 ##
 ## .. note:: This is very low-level functionality and potentially expensive.
 ##    Avoid using it.
-global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
+global discarder_check_udp: function(p: pkt_hdr, d: string): bool;
 ## Function for skipping packets based on their ICMP header. If defined, this
 ## function will be called for all ICMP packets before Bro performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
-## i: The IP header of the considered packet.
+## p: The IP and ICMP headers of the considered packet.
 ## ih: The ICMP header.
 ##
 ## Returns: True if the packet should not be analyzed any further.
 ##
@ -1088,7 +1238,7 @@ global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
 ##
 ## .. note:: This is very low-level functionality and potentially expensive.
 ##    Avoid using it.
-global discarder_check_icmp: function(i: ip_hdr, ih: icmp_hdr): bool;
+global discarder_check_icmp: function(p: pkt_hdr): bool;
 ## Bro's watchdog interval.
 const watchdog_interval = 10 sec &redef;
@ -1319,7 +1469,7 @@ export {
 	## NFS file attributes. Field names are based on RFC 1813.
 	##
-	## .. bro:see:: nfs_proc_getattr 
+	## .. bro:see:: nfs_proc_getattr
 	type fattr_t: record {
 		ftype: file_type_t;	##< File type.
 		mode: count;	##< Mode
@ -1338,8 +1488,8 @@ export {
 	};
 	## NFS *readdir* arguments.
-	## 
+	##
-	## .. bro:see:: nfs_proc_readdir 
+	## .. bro:see:: nfs_proc_readdir
 	type diropargs_t : record {
 		dirfh: string;	##< The file handle of the directory.
 		fname: string;	##< The name of the file we are interested in.
@ -1348,7 +1498,7 @@ export {
 	## NFS lookup reply. If the lookup failed, *dir_attr* may be set. If the lookup
 	## succeeded, *fh* is always set and *obj_attr* and *dir_attr* may be set.
 	##
-	## .. bro:see:: nfs_proc_lookup 
+	## .. bro:see:: nfs_proc_lookup
 	type lookup_reply_t: record {
 		fh: string &optional;	##< File handle of object looked up.
 		obj_attr: fattr_t &optional;	##< Optional attributes associated w/ file
@ -1365,7 +1515,7 @@ export {
 	};
 	## NFS *read* reply. If the lookup fails, *attr* may be set. If the lookup succeeds,
-	## *attr* may be set and all other fields are set. 
+	## *attr* may be set and all other fields are set.
 	type read_reply_t: record {
 		attr: fattr_t &optional;	##< Attributes.
 		size: count &optional;	##< Number of bytes read.
@ -1374,7 +1524,7 @@ export {
 	};
 	## NFS *readline* reply. If the request fails, *attr* may be set. If the request
-	## succeeds, *attr* may be set and all other fields are set.  
+	## succeeds, *attr* may be set and all other fields are set.
 	##
 	## .. bro:see:: nfs_proc_readlink
 	type readlink_reply_t: record {
@ -1384,7 +1534,7 @@ export {
 	## NFS *write* arguments.
 	##
-	## .. bro:see:: nfs_proc_write 
+	## .. bro:see:: nfs_proc_write
 	type writeargs_t: record {
 		fh: string;	##< File handle to write to.
 		offset: count;	##< Offset in file.
@ -1394,18 +1544,18 @@ export {
 	};
 	## NFS *wcc* attributes.
-	## 
+	##
 	## .. bro:see:: NFS3::write_reply_t
 	type wcc_attr_t: record {
-		size: count;	##< The dize. 
+		size: count;	##< The dize.
 		atime: time;	##< Access time.
 		mtime: time;	##< Modification time.
 	};
 	## NFS *write* reply. If the request fails, *pre|post* attr may be set. If the
-	## request succeeds, *pre|post* attr may be set and all other fields are set. 
+	## request succeeds, *pre|post* attr may be set and all other fields are set.
 	##
-	## .. bro:see:: nfs_proc_write 
+	## .. bro:see:: nfs_proc_write
 	type write_reply_t: record {
 		preattr: wcc_attr_t &optional;	##< Pre operation attributes.
 		postattr: fattr_t &optional;	##< Post operation attributes.
@ -1416,9 +1566,9 @@ export {
 	## NFS reply for *create*, *mkdir*, and *symlink*. If the proc
 	## failed, *dir_\*_attr* may be set. If the proc succeeded, *fh* and the *attr*'s
-	## may be set. Note: no guarantee that *fh* is set after success. 
+	## may be set. Note: no guarantee that *fh* is set after success.
 	##
-	## .. bro:see:: nfs_proc_create nfs_proc_mkdir 
+	## .. bro:see:: nfs_proc_create nfs_proc_mkdir
 	type newobj_reply_t: record {
 		fh: string &optional;	##< File handle of object created.
 		obj_attr: fattr_t &optional;	##< Optional attributes associated w/ new object.
@ -1426,17 +1576,17 @@ export {
 		dir_post_attr: fattr_t &optional;	##< Optional attributes associated w/ dir.
 	};
-	## NFS reply for *remove*, *rmdir*. Corresponds to *wcc_data* in the spec. 
+	## NFS reply for *remove*, *rmdir*. Corresponds to *wcc_data* in the spec.
 	##
-	## .. bro:see:: nfs_proc_remove nfs_proc_rmdir 
+	## .. bro:see:: nfs_proc_remove nfs_proc_rmdir
 	type delobj_reply_t: record {
 		dir_pre_attr: wcc_attr_t &optional;	##< Optional attributes associated w/ dir.
 		dir_post_attr: fattr_t &optional;	##< Optional attributes associated w/ dir.
 	};
 	## NFS *readdir* arguments. Used for both *readdir* and *readdirplus*.
-	## 
+	##
-	## .. bro:see:: nfs_proc_readdir 
+	## .. bro:see:: nfs_proc_readdir
 	type readdirargs_t: record {
 		isplus: bool;	##< Is this a readdirplus request?
 		dirfh: string;	##< The directory filehandle.
@ -1449,7 +1599,7 @@ export {
 	## NFS *direntry*.  *fh* and *attr* are used for *readdirplus*. However, even
 	## for *readdirplus* they may not be filled out.
 	##
-	## .. bro:see:: NFS3::direntry_vec_t NFS3::readdir_reply_t 
+	## .. bro:see:: NFS3::direntry_vec_t NFS3::readdir_reply_t
 	type direntry_t: record {
 		fileid: count;	##< E.g., inode number.
 		fname:  string;	##< Filename.
@ -1460,7 +1610,7 @@ export {
 	## Vector of NFS *direntry*.
 	##
-	## .. bro:see:: NFS3::readdir_reply_t 
+	## .. bro:see:: NFS3::readdir_reply_t
 	type direntry_vec_t: vector of direntry_t;
 	## NFS *readdir* reply. Used for *readdir* and *readdirplus*. If an is
@ -1491,7 +1641,7 @@ module GLOBAL;
 ## An NTP message.
 ##
-## .. bro:see:: ntp_message 
+## .. bro:see:: ntp_message
 type ntp_msg: record {
 	id: count;	##< Message ID.
 	code: count;	##< Message code.
@ -1513,7 +1663,7 @@ global samba_cmds: table[count] of string &redef
 				{ return fmt("samba-unknown-%d", c); };
 ## An SMB command header.
-## 
+##
 ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
 ##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
 ##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
@ -1532,9 +1682,9 @@ type smb_hdr : record {
 };
 ## An SMB transaction.
-## 
+##
 ## .. bro:see:: smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
-##    smb_com_transaction smb_com_transaction2 
+##    smb_com_transaction smb_com_transaction2
 type smb_trans : record {
 	word_count: count;	##< TODO.
 	total_param_count: count;	##< TODO.
@ -1548,7 +1698,7 @@ type smb_trans : record {
 	param_offset: count;	##< TODO.
 	data_count: count;	##< TODO.
 	data_offset: count;	##< TODO.
-	setup_count: count;	##< TODO. 
+	setup_count: count;	##< TODO.
 	setup0: count;	##< TODO.
 	setup1: count;	##< TODO.
 	setup2: count;	##< TODO.
@ -1559,19 +1709,19 @@ type smb_trans : record {
 ## SMB transaction data.
-## 
+##
 ## .. bro:see:: smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
-##    smb_com_transaction smb_com_transaction2 
+##    smb_com_transaction smb_com_transaction2
-##    
+##
 ## .. todo:: Should this really be a record type?
 type smb_trans_data : record {
 	data : string;	##< The transaction's data.
 };
-## Deprecated. 
+## Deprecated.
-## 
+##
 ## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
-##    else.  
+##    else.
 type smb_tree_connect : record {
 	flags: count;
 	password: string;
@ -1579,21 +1729,21 @@ type smb_tree_connect : record {
 	service: string;
 };
-## Deprecated. 
+## Deprecated.
-## 
+##
 ## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
-##    else.  
+##    else.
 type smb_negotiate : table[count] of string;
 ## A list of router addresses offered by a DHCP server.
 ##
-## .. bro:see:: dhcp_ack dhcp_offer 
+## .. bro:see:: dhcp_ack dhcp_offer
 type dhcp_router_list: table[count] of addr;
 ## A DHCP message.
 ##
 ## .. bro:see:: dhcp_ack dhcp_decline dhcp_discover dhcp_inform dhcp_nak
-##    dhcp_offer dhcp_release dhcp_request 
+##    dhcp_offer dhcp_release dhcp_request
 type dhcp_msg: record {
 	op: count;	##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
 	m_type: count;	##< The type of DHCP message.
@ -1630,7 +1780,7 @@ type dns_msg: record {
 ## A DNS SOA record.
 ##
-## .. bro:see:: dns_SOA_reply 
+## .. bro:see:: dns_SOA_reply
 type dns_soa: record {
 	mname: string;	##< Primary source of data for zone.
 	rname: string;	##< Mailbox for responsible person.
@ -1643,7 +1793,7 @@ type dns_soa: record {
 ## An additional DNS EDNS record.
 ##
-## .. bro:see:: dns_EDNS_addl 
+## .. bro:see:: dns_EDNS_addl
 type dns_edns_additional: record {
 	query: string;	##< Query.
 	qtype: count;	##< Query type.
@ -1658,7 +1808,7 @@ type dns_edns_additional: record {
 ## An additional DNS TSIG record.
 ##
-## bro:see:: dns_TSIG_addl 
+## bro:see:: dns_TSIG_addl
 type dns_tsig_additional: record {
 	query: string;	##< Query.
 	qtype: count;	##< Query type.
@ -1672,9 +1822,9 @@ type dns_tsig_additional: record {
 };
 # DNS answer types.
-# 
+#
 # .. .. bro:see:: dns_answerr
-# 
+#
 # todo::use enum to make them autodoc'able
 const DNS_QUERY = 0;	##< A query. This shouldn't occur, just for completeness.
 const DNS_ANS = 1;	##< An answer record.
@ -1688,7 +1838,7 @@ const DNS_ADDL = 3;	##< An additional record.
 ##    dns_TXT_reply dns_WKS_reply
 type dns_answer: record {
 	## Answer type. One of :bro:see:`DNS_QUERY`, :bro:see:`DNS_ANS`,
-	## :bro:see:`DNS_AUTH` and :bro:see:`DNS_ADDL`. 
+	## :bro:see:`DNS_AUTH` and :bro:see:`DNS_ADDL`.
 	answer_type: count;
 	query: string;	##< Query.
 	qtype: count;	##< Query type.
@ -1708,27 +1858,27 @@ global dns_skip_auth: set[addr] &redef;
 ## .. bro:see:: dns_skip_all_addl dns_skip_auth
 global dns_skip_addl: set[addr] &redef;
-## If true, all DNS AUTH records are skipped.  
+## If true, all DNS AUTH records are skipped.
 ##
 ## .. bro:see:: dns_skip_all_addl dns_skip_auth
 global dns_skip_all_auth = T &redef;
-## If true, all DNS ADDL records are skipped. 
+## If true, all DNS ADDL records are skipped.
 ##
 ## .. bro:see:: dns_skip_all_auth dns_skip_addl
 global dns_skip_all_addl = T &redef;
 ## If a DNS request includes more than this many queries, assume it's non-DNS
-## traffic and do not process it.  Set to 0 to turn off this functionality. 
+## traffic and do not process it.  Set to 0 to turn off this functionality.
 global dns_max_queries = 5;
 ## An X509 certificate.
 ##
-## .. bro:see:: x509_certificate 
+## .. bro:see:: x509_certificate
 type X509: record {
 	version: count;	##< Version number.
 	serial: string;	##< Serial number.
-	subject: string;	##< Subject. 
+	subject: string;	##< Subject.
 	issuer: string;	##< Issuer.
 	not_valid_before: time;	##< Timestamp before when certificate is not valid.
 	not_valid_after: time;	##< Timestamp after when certificate is not valid.
@ -1736,7 +1886,7 @@ type X509: record {
 ## HTTP session statistics.
 ##
-## .. bro:see:: http_stats 
+## .. bro:see:: http_stats
 type http_stats_rec: record {
 	num_requests: count;	##< Number of requests.
 	num_replies: count;	##< Number of replies.
@ -1746,7 +1896,7 @@ type http_stats_rec: record {
 ## HTTP message statistics.
 ##
-## .. bro:see:: http_message_done 
+## .. bro:see:: http_message_done
 type http_message_stat: record {
 	## When the request/reply line was complete.
 	start: time;
@ -1763,26 +1913,26 @@ type http_message_stat: record {
 };
 ## Maximum number of HTTP entity data delivered to events. The amount of data
-## can be limited for better performance, zero disables truncation.  
+## can be limited for better performance, zero disables truncation.
-## 
+##
 ## .. bro:see:: http_entity_data skip_http_entity_data skip_http_data
 global http_entity_data_delivery_size = 1500 &redef;
 ## Skip HTTP data for performance considerations. The skipped
-## portion will not go through TCP reassembly. 
+## portion will not go through TCP reassembly.
-## 
+##
 ## .. bro:see:: http_entity_data skip_http_entity_data http_entity_data_delivery_size
 const skip_http_data = F &redef;
 ## Maximum length of HTTP URIs passed to events. Longer ones will be truncated
 ## to prevent over-long URIs (usually sent by worms) from slowing down event
 ## processing.  A value of -1 means "do not truncate".
-## 
+##
 ## .. bro:see:: http_request
 const truncate_http_URI = -1 &redef;
-## IRC join information. 
+## IRC join information.
-## 
+##
 ## .. bro:see:: irc_join_list
 type irc_join_info: record {
 	nick: string;
@ -1793,13 +1943,13 @@ type irc_join_info: record {
 ## Set of IRC join information.
 ##
-## .. bro:see:: irc_join_message 
+## .. bro:see:: irc_join_message
 type irc_join_list: set[irc_join_info];
-## Deprecated. 
+## Deprecated.
-## 
+##
 ## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
-##    else.  
+##    else.
 global irc_servers : set[addr] &redef;
 ## Internal to the stepping stone detector.
@ -1863,7 +2013,7 @@ type backdoor_endp_stats: record {
 ## Description of a signature match.
 ##
-## .. bro:see:: signature_match 
+## .. bro:see:: signature_match
 type signature_state: record {
 	sig_id:       string;	##< ID of the matching signature.
 	conn:         connection;	##< Matching connection.
@ -1871,10 +2021,10 @@ type signature_state: record {
 	payload_size: count;	##< Payload size of the first matching packet of current endpoint.
 };
-# Deprecated. 
+# Deprecated.
-# 
+#
 # .. todo:: This type is no longer used. Remove any reference of this from the
-#    core. 
+#    core.
 type software_version: record {
 	major: int;
 	minor: int;
@ -1882,10 +2032,10 @@ type software_version: record {
 	addl: string;
 };
-# Deprecated. 
+# Deprecated.
-# 
+#
 # .. todo:: This type is no longer used. Remove any reference of this from the
-#    core. 
+#    core.
 type software: record {
 	name: string;
 	version: software_version;
@ -1902,7 +2052,7 @@ type OS_version_inference: enum {
 ## Passive fingerprinting match.
 ##
-## .. bro:see:: OS_version_found 
+## .. bro:see:: OS_version_found
 type OS_version: record {
 	genre: string;	##< Linux, Windows, AIX, ...
 	detail: string;	##< Lernel version or such.
@ -1912,20 +2062,20 @@ type OS_version: record {
 ## Defines for which subnets we should do passive fingerprinting.
 ##
-## .. bro:see:: OS_version_found 
+## .. bro:see:: OS_version_found
 global generate_OS_version_event: set[subnet] &redef;
 # Type used to report load samples via :bro:see:`load_sample`. For now, it's a
 # set of names (event names, source file names, and perhaps ``<source file, line
-# number>``, which were seen during the sample. 
+# number>``, which were seen during the sample.
 type load_sample_info: set[string];
 ## ID for NetFlow header. This is primarily a means to sort together NetFlow
-## headers and flow records at the script level.  
+## headers and flow records at the script level.
 type nfheader_id: record {
 	## Name of the NetFlow file (e.g., ``netflow.dat``) or the receiving socket address
 	## (e.g., ``127.0.0.1:5555``), or an explicit name if specified to
-	## ``-y`` or ``-Y``.  
+	## ``-y`` or ``-Y``.
 	rcvr_id: string;
 	## A serial number, ignoring any overflows.
 	pdu_id: count;
@ -1933,7 +2083,7 @@ type nfheader_id: record {
 ## A NetFlow v5 header.
 ##
-## .. bro:see:: netflow_v5_header 
+## .. bro:see:: netflow_v5_header
 type nf_v5_header: record {
 	h_id: nfheader_id;	##< ID for sorting.
 	cnt: count;	##< TODO.
@ -1949,7 +2099,7 @@ type nf_v5_header: record {
 ## A NetFlow v5 record.
 ##
 ## .. bro:see:: netflow_v5_record
-type nf_v5_record: record {     
+type nf_v5_record: record {
 	h_id: nfheader_id;	##< ID for sorting.
 	id: conn_id;	##< Connection ID.
 	nexthop: addr;	##< Address of next hop.
@ -1983,7 +2133,7 @@ type bittorrent_peer: record {
 };
 ## A set of BitTorrent peers.
-##    
+##
 ## .. bro:see:: bt_tracker_response
 type bittorrent_peer_set: set[bittorrent_peer];
@ -2006,12 +2156,12 @@ type bittorrent_benc_dir: table[string] of bittorrent_benc_value;
 ## Header table type used by BitTorrent analyzer.
 ##
 ## .. bro:see:: bt_tracker_request bt_tracker_response
-##    bt_tracker_response_not_ok 
+##    bt_tracker_response_not_ok
 type bt_tracker_headers: table[string] of string;
@load base/event.bif
-## BPF filter the user has set via the -f command line options. Empty if none.   
+## BPF filter the user has set via the -f command line options. Empty if none.
 const cmd_line_bpf_filter = "" &redef;
 ## Deprecated.
@ -2029,24 +2179,24 @@ const log_encryption_key = "<undefined>" &redef;
 ## Write profiling info into this file in regular intervals. The easiest way to
 ## activate profiling is loading  :doc:`/scripts/policy/misc/profiling`.
 ##
-## .. bro:see:: profiling_interval expensive_profiling_multiple segment_profiling 
+## .. bro:see:: profiling_interval expensive_profiling_multiple segment_profiling
 global profiling_file: file &redef;
 ## Update interval for profiling (0 disables).  The easiest way to activate
 ## profiling is loading  :doc:`/scripts/policy/misc/profiling`.
 ##
-## .. bro:see:: profiling_file expensive_profiling_multiple segment_profiling  
+## .. bro:see:: profiling_file expensive_profiling_multiple segment_profiling
 const profiling_interval = 0 secs &redef;
 ## Multiples of profiling_interval at which (more expensive) memory profiling is
 ## done (0 disables).
 ##
-## .. bro:see:: profiling_interval profiling_file segment_profiling 
+## .. bro:see:: profiling_interval profiling_file segment_profiling
 const expensive_profiling_multiple = 0 &redef;
 ## If true, then write segment profiling information (very high volume!)
 ## in addition to profiling statistics.
-## 
+##
 ## .. bro:see:: profiling_interval expensive_profiling_multiple profiling_file
 const segment_profiling = F &redef;
@ -2085,42 +2235,42 @@ global load_sample_freq = 20 &redef;
 ## Rate at which to generate :bro:see:`gap_report`  events assessing to what degree
 ## the measurement process appears to exhibit loss.
-## 
+##
 ## .. bro:see:: gap_report
 const gap_report_freq = 1.0 sec &redef;
 ## Whether we want :bro:see:`content_gap`  and :bro:see:`gap_report`  for partial
 ## connections. A connection is partial if it is missing a full handshake. Note
 ## that gap reports for partial connections might not be reliable.
-## 
+##
 ## .. bro:see:: content_gap gap_report partial_connection
 const report_gaps_for_partial = F &redef;
 ## The CA certificate file to authorize remote Bros/Broccolis.
-## 
+##
 ## .. bro:see:: ssl_private_key ssl_passphrase
 const ssl_ca_certificate = "<undefined>" &redef;
 ## File containing our private key and our certificate.
-## 
+##
 ## .. bro:see:: ssl_ca_certificate ssl_passphrase
 const ssl_private_key = "<undefined>" &redef;
 ## The passphrase for our private key. Keeping this undefined
 ## causes Bro to prompt for the passphrase.
-## 
+##
 ## .. bro:see:: ssl_private_key ssl_ca_certificate
 const ssl_passphrase = "<undefined>" &redef;
 ## Default mode for Bro's user-space dynamic packet filter. If true, packets that
-## aren't explicitly allowed through, are dropped from any further processing. 
+## aren't explicitly allowed through, are dropped from any further processing.
-## 
+##
 ## .. note:: This is not the BPF packet filter but an additional dynamic filter
-##    that Bro optionally applies just before normal processing starts. 
+##    that Bro optionally applies just before normal processing starts.
-##    
+##
-## .. bro:see:: install_dst_addr_filter install_dst_net_filter 
+## .. bro:see:: install_dst_addr_filter install_dst_net_filter
 ##    install_src_addr_filter install_src_net_filter  uninstall_dst_addr_filter
-##    uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter 
+##    uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter
 const packet_filter_default = F &redef;
 ## Maximum size of regular expression groups for signature matching.
@ -2132,17 +2282,17 @@ const enable_syslog = F &redef;
 ## Description transmitted to remote communication peers for identification.
 const peer_description = "bro" &redef;
-## If true, broadcast events received from one peer to all other peers.  
+## If true, broadcast events received from one peer to all other peers.
-## 
+##
 ## .. bro:see:: forward_remote_state_changes
 ##
 ## .. note:: This option is only temporary and  will disappear once we get a more
 ##    sophisticated script-level communication framework.
 const forward_remote_events = F &redef;
-## If true, broadcast state updates received from one peer to all other peers.  
+## If true, broadcast state updates received from one peer to all other peers.
-## 
+##
-## .. bro:see:: forward_remote_events 
+## .. bro:see:: forward_remote_events
 ##
 ## .. note:: This option is only temporary and  will disappear once we get a more
 ##    sophisticated script-level communication framework.
@ -2171,23 +2321,23 @@ const REMOTE_SRC_PARENT = 2;	##< Message from the parent process.
 const REMOTE_SRC_SCRIPT = 3;	##< Message from a policy script.
 ## Synchronize trace processing at a regular basis in pseudo-realtime mode.
-## 
+##
 ## .. bro:see:: remote_trace_sync_peers
 const remote_trace_sync_interval = 0 secs &redef;
 ## Number of peers across which to synchronize trace processing in
-## pseudo-realtime mode. 
+## pseudo-realtime mode.
-## 
+##
 ## .. bro:see:: remote_trace_sync_interval
 const remote_trace_sync_peers = 0 &redef;
 ## Whether for :bro:attr:`&synchronized` state to send the old value as a
-## consistency check. 
+## consistency check.
 const remote_check_sync_consistency = F &redef;
 ## Analyzer tags. The core automatically defines constants
 ## ``ANALYZER_<analyzer-name>*``, e.g., ``ANALYZER_HTTP``.
-## 
+##
 ## .. bro:see:: dpd_config
 ##
 ## .. todo::We should autodoc these automaticallty generated constants.
@ -2205,7 +2355,7 @@ type dpd_protocol_config: record {
 ## This table defines the ports.
 ##
 ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
-##    dpd_match_only_beginning dpd_ignore_ports 
+##    dpd_match_only_beginning dpd_ignore_ports
 const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef;
 ## Reassemble the beginning of all TCP connections before doing
@ -2213,10 +2363,10 @@ const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef;
 ## expensive of CPU cycles.
 ##
 ## .. bro:see:: dpd_config dpd_buffer_size
-##    dpd_match_only_beginning dpd_ignore_ports 
+##    dpd_match_only_beginning dpd_ignore_ports
-## 
+##
 ## .. note:: Despite the name, this option affects *all* signature matching, not
-##    only signatures used for dynamic protocol detection. 
+##    only signatures used for dynamic protocol detection.
 const dpd_reassemble_first_packets = T &redef;
 ## Size of per-connection buffer used for dynamic protocol detection. For each
@ -2225,23 +2375,23 @@ const dpd_reassemble_first_packets = T &redef;
 ## already passed through (i.e., when a DPD signature matches only later).
 ## However, once the buffer is full, data is deleted and lost to analyzers that are
 ## activated afterwards. Then only analyzers that can deal with partial
-## connections will be able to analyze the session. 
+## connections will be able to analyze the session.
 ##
 ## .. bro:see:: dpd_reassemble_first_packets dpd_config dpd_match_only_beginning
-##    dpd_ignore_ports 
+##    dpd_ignore_ports
 const dpd_buffer_size = 1024 &redef;
 ## If true, stops signature matching if dpd_buffer_size has been reached.
 ##
 ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
-##    dpd_config dpd_ignore_ports 
+##    dpd_config dpd_ignore_ports
-## 
+##
 ## .. note:: Despite the name, this option affects *all* signature matching, not
-##    only signatures used for dynamic protocol detection. 
+##    only signatures used for dynamic protocol detection.
 const dpd_match_only_beginning = T &redef;
 ## If true, don't consider any ports for deciding which protocol analyzer to
-## use. If so, the value of :bro:see:`dpd_config` is ignored. 
+## use. If so, the value of :bro:see:`dpd_config` is ignored.
 ##
 ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
 ##    dpd_match_only_beginning dpd_config
@ -2249,14 +2399,14 @@ const dpd_ignore_ports = F &redef;
 ## Ports which the core considers being likely used by servers. For ports in
 ## this set, is may heuristically decide to flip the direction of the
-## connection if it misses the initial handshake. 
+## connection if it misses the initial handshake.
 const likely_server_ports: set[port] &redef;
 ## Deprated. Set of all ports for which we know an analyzer, built by
-## :doc:`/scripts/base/frameworks/dpd/main`. 
+## :doc:`/scripts/base/frameworks/dpd/main`.
 ##
 ## .. todo::This should be defined by :doc:`/scripts/base/frameworks/dpd/main`
-##    itself we still need it. 
+##    itself we still need it.
 global dpd_analyzer_ports: table[port] of set[AnalyzerTag];
 ## Per-incident timer managers are drained after this amount of inactivity.
@ -2269,7 +2419,7 @@ const time_machine_profiling = F &redef;
 const check_for_unused_event_handlers = F &redef;
 # If true, dumps all invoked event handlers at startup.
-# todo::Still used? 
+# todo::Still used?
 # const dump_used_event_handlers = F &redef;
 ## Deprecated.
@ -2285,7 +2435,7 @@ const trace_output_file = "";
 ## of setting this to true is that we can write the packets out before we actually
 ## process them, which can be helpful for debugging in case the analysis triggers a
 ## crash.
-## 
+##
 ## .. bro:see:: trace_output_file
 const record_all_packets = F &redef;
@ -2298,7 +2448,7 @@ const record_all_packets = F &redef;
 const ignore_keep_alive_rexmit = F &redef;
 ## Whether the analysis engine parses IP packets encapsulated in
-## UDP tunnels. 
+## UDP tunnels.
 ##
 ## .. bro:see:: tunnel_port
 const parse_udp_tunnels = F &redef;
@ -2306,6 +2456,6 @@ const parse_udp_tunnels = F &redef;
 ## Number of bytes per packet to capture from live interfaces.
 const snaplen = 8192 &redef;
-# Load the logging framework here because it uses fairly deep integration with 
+# Load the logging framework here because it uses fairly deep integration with
 # BiFs and script-land defined types.
@load base/frameworks/logging
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -330,6 +330,7 @@ set(bro_SRCS
    IntSet.cc
    InterConn.cc
    IOSource.cc
    IP.cc
    IPAddr.cc
    IRC.cc
    List.cc
@ -402,6 +403,7 @@ set(bro_SRCS
    XDR.cc
    ZIP.cc
    bsd-getopt-long.c
    bro_inet_ntop.c
    cq.c
    md5.c
    patricia.c
--- a/src/Discard.cc
+++ b/src/Discard.cc
@ -10,11 +10,6 @@
 Discarder::Discarder()
 	{
 	ip_hdr = internal_type("ip_hdr")->AsRecordType();
 	tcp_hdr = internal_type("tcp_hdr")->AsRecordType();
 	udp_hdr = internal_type("udp_hdr")->AsRecordType();
 	icmp_hdr = internal_type("icmp_hdr")->AsRecordType();
 	check_ip = internal_func("discarder_check_ip");
 	check_tcp = internal_func("discarder_check_tcp");
 	check_udp = internal_func("discarder_check_udp");
@ -36,12 +31,10 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 	{
 	int discard_packet = 0;
 	const struct ip* ip4 = ip->IP4_Hdr();
 	if ( check_ip )
 		{
 		val_list* args = new val_list;
-		args->append(BuildHeader(ip4));
+		args->append(ip->BuildPktHdrVal());
 		try
 			{
@ -59,19 +52,18 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			return discard_packet;
 		}
-	int proto = ip4->ip_p;
+	int proto = ip->NextProto();
 	if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP &&
 	     proto != IPPROTO_ICMP )
 		// This is not a protocol we understand.
 		return 0;
 	// XXX shall we only check the first packet???
-	uint32 frag_field = ntohs(ip4->ip_off);
+	if ( ip->IsFragment() )
 	if ( (frag_field & 0x3fff) != 0 )
 		// Never check any fragment.
 		return 0;
-	int ip_hdr_len = ip4->ip_hl * 4;
+	int ip_hdr_len = ip->HdrLen();
 	len -= ip_hdr_len;	// remove IP header
 	caplen -= ip_hdr_len;
@ -87,7 +79,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 	// Where the data starts - if this is a protocol we know about,
 	// this gets advanced past the transport header.
-	const u_char* data = ((u_char*) ip4 + ip_hdr_len);
+	const u_char* data = ip->Payload();
 	if ( is_tcp )
 		{
@ -97,8 +89,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			int th_len = tp->th_off * 4;
 			val_list* args = new val_list;
-			args->append(BuildHeader(ip4));
+			args->append(ip->BuildPktHdrVal());
 			args->append(BuildHeader(tp, len));
 			args->append(BuildData(data, th_len, len, caplen));
 			try
@ -123,8 +114,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			int uh_len = sizeof (struct udphdr);
 			val_list* args = new val_list;
-			args->append(BuildHeader(ip4));
+			args->append(ip->BuildPktHdrVal());
 			args->append(BuildHeader(up));
 			args->append(BuildData(data, uh_len, len, caplen));
 			try
@ -148,8 +138,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			const struct icmp* ih = (const struct icmp*) data;
 			val_list* args = new val_list;
-			args->append(BuildHeader(ip4));
+			args->append(ip->BuildPktHdrVal());
 			args->append(BuildHeader(ih));
 			try
 				{
@ -168,62 +157,6 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 	return discard_packet;
 	}
 Val* Discarder::BuildHeader(const struct ip* ip)
 	{
 	RecordVal* hdr = new RecordVal(ip_hdr);
 	hdr->Assign(0, new Val(ip->ip_hl * 4, TYPE_COUNT));
 	hdr->Assign(1, new Val(ip->ip_tos, TYPE_COUNT));
 	hdr->Assign(2, new Val(ntohs(ip->ip_len), TYPE_COUNT));
 	hdr->Assign(3, new Val(ntohs(ip->ip_id), TYPE_COUNT));
 	hdr->Assign(4, new Val(ip->ip_ttl, TYPE_COUNT));
 	hdr->Assign(5, new Val(ip->ip_p, TYPE_COUNT));
 	hdr->Assign(6, new AddrVal(ip->ip_src.s_addr));
 	hdr->Assign(7, new AddrVal(ip->ip_dst.s_addr));
 	return hdr;
 	}
 Val* Discarder::BuildHeader(const struct tcphdr* tp, int tcp_len)
 	{
 	RecordVal* hdr = new RecordVal(tcp_hdr);
 	hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
 	hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
 	hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
 	hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
 	int tcp_hdr_len = tp->th_off * 4;
 	hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
 	hdr->Assign(5, new Val(tcp_len - tcp_hdr_len, TYPE_COUNT));
 	hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
 	hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
 	return hdr;
 	}
 Val* Discarder::BuildHeader(const struct udphdr* up)
 	{
 	RecordVal* hdr = new RecordVal(udp_hdr);
 	hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
 	hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
 	hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
 	return hdr;
 	}
 Val* Discarder::BuildHeader(const struct icmp* icmp)
 	{
 	RecordVal* hdr = new RecordVal(icmp_hdr);
 	hdr->Assign(0, new Val(icmp->icmp_type, TYPE_COUNT));
 	return hdr;
 	}
 Val* Discarder::BuildData(const u_char* data, int hdrlen, int len, int caplen)
 	{
 	len -= hdrlen;
--- a/src/Discard.h
+++ b/src/Discard.h
@ -25,17 +25,8 @@ public:
 	int NextPacket(const IP_Hdr* ip, int len, int caplen);
 protected:
 	Val* BuildHeader(const struct ip* ip);
 	Val* BuildHeader(const struct tcphdr* tp, int tcp_len);
 	Val* BuildHeader(const struct udphdr* up);
 	Val* BuildHeader(const struct icmp* icmp);
 	Val* BuildData(const u_char* data, int hdrlen, int len, int caplen);
 	RecordType* ip_hdr;
 	RecordType* tcp_hdr;
 	RecordType* udp_hdr;
 	RecordType* icmp_hdr;
 	Func* check_ip;
 	Func* check_tcp;
 	Func* check_udp;
--- a/src/Frag.cc
+++ b/src/Frag.cc
@ -27,21 +27,32 @@ void FragTimer::Dispatch(double t, int /* is_expire */)
 FragReassembler::FragReassembler(NetSessions* arg_s,
 			const IP_Hdr* ip, const u_char* pkt,
-			uint32 frag_field, HashKey* k, double t)
+			HashKey* k, double t)
 : Reassembler(0, ip->DstAddr(), REASSEM_IP)
 	{
 	s = arg_s;
 	key = k;
 	const struct ip* ip4 = ip->IP4_Hdr();
-	proto_hdr_len = ip4->ip_hl * 4;
+	if ( ip4 )
-	proto_hdr = (struct ip*) new u_char[64];	// max IP header + slop
+		{
-	// Don't do a structure copy - need to pick up options, too.
+		proto_hdr_len = ip->HdrLen();
-	memcpy((void*) proto_hdr, (const void*) ip4, proto_hdr_len);
+		proto_hdr = new u_char[64];	// max IP header + slop
 		// Don't do a structure copy - need to pick up options, too.
 		memcpy((void*) proto_hdr, (const void*) ip4, proto_hdr_len);
 		}
 	else
 		{
 		proto_hdr_len = ip->HdrLen() - 8; // minus length of fragment header
 		proto_hdr = new u_char[proto_hdr_len];
 		memcpy(proto_hdr, ip->IP6_Hdr(), proto_hdr_len);
 		}
 	reassembled_pkt = 0;
 	frag_size = 0;	// flag meaning "not known"
 	next_proto = ip->NextProto();
-	AddFragment(t, ip, pkt, frag_field);
+	AddFragment(t, ip, pkt);
 	if ( frag_timeout != 0.0 )
 		{
@ -60,28 +71,42 @@ FragReassembler::~FragReassembler()
 	delete key;
 	}
-void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt,
+void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt)
 				uint32 frag_field)
 	{
 	const struct ip* ip4 = ip->IP4_Hdr();
-	if ( ip4->ip_p != proto_hdr->ip_p || ip4->ip_hl != proto_hdr->ip_hl )
+	if ( ip4 )
 		{
 		if ( ip4->ip_p != ((const struct ip*)proto_hdr)->ip_p ||
 		     ip4->ip_hl != ((const struct ip*)proto_hdr)->ip_hl )
 		// || ip4->ip_tos != proto_hdr->ip_tos
 		// don't check TOS, there's at least one stack that actually
 		// uses different values, and it's hard to see an associated
 		// attack.
 		s->Weird("fragment_protocol_inconsistency", ip);
 		}
 	else
 		{
 		if ( ip->NextProto() != next_proto ||
 		     ip->HdrLen() - 8 != proto_hdr_len )
 			s->Weird("fragment_protocol_inconsistency", ip);
 		// TODO: more detailed unfrag header consistency checks?
 		}
-	if ( frag_field & 0x4000 )
+	if ( ip->DF() )
 		// Linux MTU discovery for UDP can do this, for example.
 		s->Weird("fragment_with_DF", ip);
-	int offset = (ntohs(ip4->ip_off) & 0x1fff) * 8;
+	int offset = ip->FragOffset();
-	int len = ntohs(ip4->ip_len);
+	int len = ip->TotalLen();
-	int hdr_len = proto_hdr->ip_hl * 4;
+	int hdr_len = ip->HdrLen();
 	int upper_seq = offset + len - hdr_len;
-	if ( (frag_field & 0x2000) == 0 )
+	if ( ! offset )
 		// Make sure to use the first fragment header's next field.
 		next_proto = ip->NextProto();
 	if ( ! ip->MF() )
 		{
 		// Last fragment.
 		if ( frag_size == 0 )
@ -193,8 +218,7 @@ void FragReassembler::BlockInserted(DataBlock* /* start_block */)
 	u_char* pkt = new u_char[n];
 	memcpy((void*) pkt, (const void*) proto_hdr, proto_hdr_len);
-	struct ip* reassem4 = (struct ip*) pkt;
+	u_char* pkt_start = pkt;
 	reassem4->ip_len = htons(frag_size + proto_hdr_len);
 	pkt += proto_hdr_len;
@ -214,7 +238,27 @@ void FragReassembler::BlockInserted(DataBlock* /* start_block */)
 		}
 	delete reassembled_pkt;
-	reassembled_pkt = new IP_Hdr(reassem4, true);
+
 	if ( ((const struct ip*)pkt_start)->ip_v == 4 )
 		{
 		struct ip* reassem4 = (struct ip*) pkt_start;
 		reassem4->ip_len = htons(frag_size + proto_hdr_len);
 		reassembled_pkt = new IP_Hdr(reassem4, true);
 		}
 	else if ( ((const struct ip*)pkt_start)->ip_v == 6 )
 		{
 		struct ip6_hdr* reassem6 = (struct ip6_hdr*) pkt_start;
 		reassem6->ip6_plen = htons(frag_size + proto_hdr_len - 40);
 		const IPv6_Hdr_Chain* chain = new IPv6_Hdr_Chain(reassem6, next_proto);
 		reassembled_pkt = new IP_Hdr(reassem6, true, chain);
 		}
 	else
 		{
 		reporter->InternalError("bad IP version in fragment reassembly");
 		}
 	DeleteTimer();
 	}
--- a/src/Frag.h
+++ b/src/Frag.h
@ -20,11 +20,10 @@ typedef void (FragReassembler::*frag_timer_func)(double t);
 class FragReassembler : public Reassembler {
 public:
 	FragReassembler(NetSessions* s, const IP_Hdr* ip, const u_char* pkt,
-			uint32 frag_field, HashKey* k, double t);
+			HashKey* k, double t);
 	~FragReassembler();
-	void AddFragment(double t, const IP_Hdr* ip, const u_char* pkt,
+	void AddFragment(double t, const IP_Hdr* ip, const u_char* pkt);
 				uint32 frag_field);
 	void Expire(double t);
 	void DeleteTimer();
@ -37,11 +36,12 @@ protected:
 	void BlockInserted(DataBlock* start_block);
 	void Overlap(const u_char* b1, const u_char* b2, int n);
-	struct ip* proto_hdr;
+	u_char* proto_hdr;
 	IP_Hdr* reassembled_pkt;
 	int proto_hdr_len;
 	NetSessions* s;
 	int frag_size;	// size of fully reassembled fragment
 	uint16 next_proto; // first IPv6 fragment header's next proto field
 	HashKey* key;
 	FragTimer* expire_timer;
--- a/src/ICMP.cc
+++ b/src/ICMP.cc
@ -297,10 +297,9 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
 		src_addr = ip_hdr->SrcAddr();
 		dst_addr = ip_hdr->DstAddr();
 		uint32 frag_field = ip_hdr->FragField();
 		DF = ip_hdr->DF();
-		MF = frag_field & 0x2000;
+		MF = ip_hdr->MF();
-		frag_offset = frag_field & /* IP_OFFMASK not portable */ 0x1fff;
+		frag_offset = ip_hdr->FragOffset();
 		if ( uint32(len) >= ip_hdr_len + 4 )
 			proto = GetContextProtocol(ip_hdr, &src_port, &dst_port);
--- a/src/IP.cc
+++ b/src/IP.cc
@ -0,0 +1,364 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #include "IP.h"
 #include "Type.h"
 #include "Val.h"
 #include "Var.h"
 static RecordType* ip4_hdr_type = 0;
 static RecordType* ip6_hdr_type = 0;
 static RecordType* ip6_ext_hdr_type = 0;
 static RecordType* ip6_option_type = 0;
 static RecordType* ip6_hopopts_type = 0;
 static RecordType* ip6_dstopts_type = 0;
 static RecordType* ip6_routing_type = 0;
 static RecordType* ip6_fragment_type = 0;
 static RecordType* ip6_ah_type = 0;
 static RecordType* ip6_esp_type = 0;
 static inline RecordType* hdrType(RecordType*& type, const char* name)
 	{
 	if ( ! type )
 		type = internal_type(name)->AsRecordType();
 	return type;
 	}
 static VectorVal* BuildOptionsVal(const u_char* data, uint16 len)
 	{
 	VectorVal* vv = new VectorVal(new VectorType(
 	        hdrType(ip6_option_type, "ip6_option")->Ref()));
 	while ( len > 0 )
 		{
 		const struct ip6_opt* opt = (const struct ip6_opt*) data;
 		RecordVal* rv = new RecordVal(ip6_option_type);
 		rv->Assign(0, new Val(opt->ip6o_type, TYPE_COUNT));
 		if ( opt->ip6o_type == 0 )
 			{
 			// Pad1 option
 			rv->Assign(1, new Val(0, TYPE_COUNT));
 			rv->Assign(2, new StringVal(""));
 			data += sizeof(uint8);
 			len -= sizeof(uint8);
 			}
 		else
 			{
 			// PadN or other option
 			uint16 off = 2 * sizeof(uint8);
 			rv->Assign(1, new Val(opt->ip6o_len, TYPE_COUNT));
 			rv->Assign(2, new StringVal(
 			        new BroString(data + off, opt->ip6o_len, 1)));
 			data += opt->ip6o_len + off;
 			len -= opt->ip6o_len + off;
 			}
 		vv->Assign(vv->Size(), rv, 0);
 		}
 	return vv;
 	}
 RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 	{
 	RecordVal* rv = 0;
 	switch ( type ) {
 	case IPPROTO_IPV6:
 		{
 		rv = new RecordVal(hdrType(ip6_hdr_type, "ip6_hdr"));
 		const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data;
 		rv->Assign(0, new Val((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20, TYPE_COUNT));
 		rv->Assign(1, new Val(ntohl(ip6->ip6_flow) & 0x000fffff, TYPE_COUNT));
 		rv->Assign(2, new Val(ntohs(ip6->ip6_plen), TYPE_COUNT));
 		rv->Assign(3, new Val(ip6->ip6_nxt, TYPE_COUNT));
 		rv->Assign(4, new Val(ip6->ip6_hlim, TYPE_COUNT));
 		rv->Assign(5, new AddrVal(ip6->ip6_src));
 		rv->Assign(6, new AddrVal(ip6->ip6_dst));
 		if ( ! chain )
 			chain = new VectorVal(new VectorType(
 			        hdrType(ip6_ext_hdr_type, "ip6_ext_hdr")->Ref()));
 		rv->Assign(7, chain);
 		}
 		break;
 	case IPPROTO_HOPOPTS:
 		{
 		rv = new RecordVal(hdrType(ip6_hopopts_type, "ip6_hopopts"));
 		const struct ip6_hbh* hbh = (const struct ip6_hbh*)data;
 		rv->Assign(0, new Val(hbh->ip6h_nxt, TYPE_COUNT));
 		rv->Assign(1, new Val(hbh->ip6h_len, TYPE_COUNT));
 		uint16 off = 2 * sizeof(uint8);
 		rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
 		}
 		break;
 	case IPPROTO_DSTOPTS:
 		{
 		rv = new RecordVal(hdrType(ip6_dstopts_type, "ip6_dstopts"));
 		const struct ip6_dest* dst = (const struct ip6_dest*)data;
 		rv->Assign(0, new Val(dst->ip6d_nxt, TYPE_COUNT));
 		rv->Assign(1, new Val(dst->ip6d_len, TYPE_COUNT));
 		uint16 off = 2 * sizeof(uint8);
 		rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
 		}
 		break;
 	case IPPROTO_ROUTING:
 		{
 		rv = new RecordVal(hdrType(ip6_routing_type, "ip6_routing"));
 		const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data;
 		rv->Assign(0, new Val(rt->ip6r_nxt, TYPE_COUNT));
 		rv->Assign(1, new Val(rt->ip6r_len, TYPE_COUNT));
 		rv->Assign(2, new Val(rt->ip6r_type, TYPE_COUNT));
 		rv->Assign(3, new Val(rt->ip6r_segleft, TYPE_COUNT));
 		uint16 off = 4 * sizeof(uint8);
 		rv->Assign(4, new StringVal(new BroString(data + off, Length() - off, 1)));
 		}
 		break;
 	case IPPROTO_FRAGMENT:
 		{
 		rv = new RecordVal(hdrType(ip6_fragment_type, "ip6_fragment"));
 		const struct ip6_frag* frag = (const struct ip6_frag*)data;
 		rv->Assign(0, new Val(frag->ip6f_nxt, TYPE_COUNT));
 		rv->Assign(1, new Val(frag->ip6f_reserved, TYPE_COUNT));
 		rv->Assign(2, new Val((ntohs(frag->ip6f_offlg) & 0xfff8)>>3, TYPE_COUNT));
 		rv->Assign(3, new Val((ntohs(frag->ip6f_offlg) & 0x0006)>>1, TYPE_COUNT));
 		rv->Assign(4, new Val(ntohs(frag->ip6f_offlg) & 0x0001, TYPE_BOOL));
 		rv->Assign(5, new Val(ntohl(frag->ip6f_ident), TYPE_COUNT));
 		}
 		break;
 	case IPPROTO_AH:
 		{
 		rv = new RecordVal(hdrType(ip6_ah_type, "ip6_ah"));
 		rv->Assign(0, new Val(((ip6_ext*)data)->ip6e_nxt, TYPE_COUNT));
 		rv->Assign(1, new Val(((ip6_ext*)data)->ip6e_len, TYPE_COUNT));
 		rv->Assign(2, new Val(ntohs(((uint16*)data)[1]), TYPE_COUNT));
 		rv->Assign(3, new Val(ntohl(((uint32*)data)[1]), TYPE_COUNT));
 		rv->Assign(4, new Val(ntohl(((uint32*)data)[2]), TYPE_COUNT));
 		uint16 off = 3 * sizeof(uint32);
 		rv->Assign(5, new StringVal(new BroString(data + off, Length() - off, 1)));
 		}
 		break;
 	case IPPROTO_ESP:
 		{
 		rv = new RecordVal(hdrType(ip6_esp_type, "ip6_esp"));
 		const uint32* esp = (const uint32*)data;
 		rv->Assign(0, new Val(ntohl(esp[0]), TYPE_COUNT));
 		rv->Assign(1, new Val(ntohl(esp[1]), TYPE_COUNT));
 		}
 		break;
 	default:
 		break;
 	}
 	return rv;
 	}
 RecordVal* IP_Hdr::BuildIPHdrVal() const
 	{
 	RecordVal* rval = 0;
 	if ( ip4 )
 		{
 		rval = new RecordVal(hdrType(ip4_hdr_type, "ip4_hdr"));
 		rval->Assign(0, new Val(ip4->ip_hl * 4, TYPE_COUNT));
 		rval->Assign(1, new Val(ip4->ip_tos, TYPE_COUNT));
 		rval->Assign(2, new Val(ntohs(ip4->ip_len), TYPE_COUNT));
 		rval->Assign(3, new Val(ntohs(ip4->ip_id), TYPE_COUNT));
 		rval->Assign(4, new Val(ip4->ip_ttl, TYPE_COUNT));
 		rval->Assign(5, new Val(ip4->ip_p, TYPE_COUNT));
 		rval->Assign(6, new AddrVal(ip4->ip_src.s_addr));
 		rval->Assign(7, new AddrVal(ip4->ip_dst.s_addr));
 		}
 	else
 		{
 		rval = ((*ip6_hdrs)[0])->BuildRecordVal(ip6_hdrs->BuildVal());
 		}
 	return rval;
 	}
 RecordVal* IP_Hdr::BuildPktHdrVal() const
 	{
 	static RecordType* pkt_hdr_type = 0;
 	static RecordType* tcp_hdr_type = 0;
 	static RecordType* udp_hdr_type = 0;
 	static RecordType* icmp_hdr_type = 0;
 	if ( ! pkt_hdr_type )
 		{
 		pkt_hdr_type = internal_type("pkt_hdr")->AsRecordType();
 		tcp_hdr_type = internal_type("tcp_hdr")->AsRecordType();
 		udp_hdr_type = internal_type("udp_hdr")->AsRecordType();
 		icmp_hdr_type = internal_type("icmp_hdr")->AsRecordType();
 		}
 	RecordVal* pkt_hdr = new RecordVal(pkt_hdr_type);
 	if ( ip4 )
 		pkt_hdr->Assign(0, BuildIPHdrVal());
 	else
 		pkt_hdr->Assign(1, BuildIPHdrVal());
 	// L4 header.
 	const u_char* data = Payload();
 	int proto = NextProto();
 	switch ( proto ) {
 	case IPPROTO_TCP:
 		{
 		const struct tcphdr* tp = (const struct tcphdr*) data;
 		RecordVal* tcp_hdr = new RecordVal(tcp_hdr_type);
 		int tcp_hdr_len = tp->th_off * 4;
 		int data_len = PayloadLen() - tcp_hdr_len;
 		tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
 		tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
 		tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
 		tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
 		tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
 		tcp_hdr->Assign(5, new Val(data_len, TYPE_COUNT));
 		tcp_hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
 		tcp_hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
 		pkt_hdr->Assign(2, tcp_hdr);
 		break;
 		}
 	case IPPROTO_UDP:
 		{
 		const struct udphdr* up = (const struct udphdr*) data;
 		RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
 		udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
 		udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
 		udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
 		pkt_hdr->Assign(3, udp_hdr);
 		break;
 		}
 	case IPPROTO_ICMP:
 		{
 		const struct icmp* icmpp = (const struct icmp *) data;
 		RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
 		icmp_hdr->Assign(0, new Val(icmpp->icmp_type, TYPE_COUNT));
 		pkt_hdr->Assign(4, icmp_hdr);
 		break;
 		}
 	default:
 		{
 		// This is not a protocol we understand.
 		break;
 		}
 	}
 	return pkt_hdr;
 	}
 static inline bool isIPv6ExtHeader(uint8 type)
 	{
 	switch (type) {
 	case IPPROTO_HOPOPTS:
 	case IPPROTO_ROUTING:
 	case IPPROTO_DSTOPTS:
 	case IPPROTO_FRAGMENT:
 	case IPPROTO_AH:
 	case IPPROTO_ESP:
 		return true;
 	default:
 		return false;
 	}
 	}
 void IPv6_Hdr_Chain::Init(const struct ip6_hdr* ip6, bool set_next, uint16 next)
 	{
 	length = 0;
 	uint8 current_type, next_type;
 	next_type = IPPROTO_IPV6;
 	const u_char* hdrs = (const u_char*) ip6;
 	do
 		{
 		current_type = next_type;
 		IPv6_Hdr* p = new IPv6_Hdr(current_type, hdrs);
 		next_type = p->NextHdr();
 		uint16 len = p->Length();
 		if ( set_next && next_type == IPPROTO_FRAGMENT )
 			{
 			p->ChangeNext(next);
 			next_type = next;
 			}
 		chain.push_back(p);
 		hdrs += len;
 		length += len;
 		} while ( current_type != IPPROTO_FRAGMENT &&
 				  current_type != IPPROTO_ESP &&
 				  isIPv6ExtHeader(next_type) );
 	}
 VectorVal* IPv6_Hdr_Chain::BuildVal() const
 	{
 	if ( ! ip6_ext_hdr_type )
 		{
 		ip6_ext_hdr_type = internal_type("ip6_ext_hdr")->AsRecordType();
 		ip6_hopopts_type = internal_type("ip6_hopopts")->AsRecordType();
 		ip6_dstopts_type = internal_type("ip6_dstopts")->AsRecordType();
 		ip6_routing_type = internal_type("ip6_routing")->AsRecordType();
 		ip6_fragment_type = internal_type("ip6_fragment")->AsRecordType();
 		ip6_ah_type = internal_type("ip6_ah")->AsRecordType();
 		ip6_esp_type = internal_type("ip6_esp")->AsRecordType();
 		}
 	VectorVal* rval = new VectorVal(new VectorType(ip6_ext_hdr_type->Ref()));
 	for ( size_t i = 1; i < chain.size(); ++i )
 		{
 		RecordVal* v = chain[i]->BuildRecordVal();
 		RecordVal* ext_hdr = new RecordVal(ip6_ext_hdr_type);
 		uint8 type = chain[i]->Type();
 		ext_hdr->Assign(0, new Val(type, TYPE_COUNT));
 		switch (type) {
 		case IPPROTO_HOPOPTS:
 			ext_hdr->Assign(1, v);
 			break;
 		case IPPROTO_DSTOPTS:
 			ext_hdr->Assign(2, v);
 			break;
 		case IPPROTO_ROUTING:
 			ext_hdr->Assign(3, v);
 			break;
 		case IPPROTO_FRAGMENT:
 			ext_hdr->Assign(4, v);
 			break;
 		case IPPROTO_AH:
 			ext_hdr->Assign(5, v);
 			break;
 		case IPPROTO_ESP:
 			ext_hdr->Assign(6, v);
 			break;
 		default:
 			reporter->InternalError("IPv6_Hdr_Chain bad header %d", type);
 			break;
 		}
 		rval->Assign(rval->Size(), ext_hdr, 0);
 		}
 	return rval;
 	}
--- a/src/IP.h
+++ b/src/IP.h
@ -4,23 +4,234 @@
 #define ip_h
 #include "config.h"
 #include "net_util.h"
 #include "IPAddr.h"
-#include <net_util.h>
+#include "Reporter.h"
 #include "Val.h"
 #include "Type.h"
 #include <vector>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
 /**
 * Base class for IPv6 header/extensions.
 */
 class IPv6_Hdr {
 public:
 	/**
 	 * Construct an IPv6 header or extension header from assigned type number.
 	 */
 	IPv6_Hdr(uint8 t, const u_char* d) : type(t), data(d) {}
 	/**
 	 * Replace the value of the next protocol field.
 	 */
 	void ChangeNext(uint8 next_type)
 		{
 		switch ( type ) {
 		case IPPROTO_IPV6:
 			((ip6_hdr*)data)->ip6_nxt = next_type;
 			break;
 		case IPPROTO_HOPOPTS:
 		case IPPROTO_DSTOPTS:
 		case IPPROTO_ROUTING:
 		case IPPROTO_FRAGMENT:
 		case IPPROTO_AH:
 			((ip6_ext*)data)->ip6e_nxt = next_type;
 			break;
 		case IPPROTO_ESP:
 		default:
 			break;
 		}
 		}
 	~IPv6_Hdr() {}
 	/**
 	 * Returns the assigned IPv6 extension header type number of the header
 	 * that immediately follows this one.
 	 */
 	uint8 NextHdr() const
 		{
 		switch ( type ) {
 		case IPPROTO_IPV6:
 			return ((ip6_hdr*)data)->ip6_nxt;
 		case IPPROTO_HOPOPTS:
 		case IPPROTO_DSTOPTS:
 		case IPPROTO_ROUTING:
 		case IPPROTO_FRAGMENT:
 		case IPPROTO_AH:
 			return ((ip6_ext*)data)->ip6e_nxt;
 		case IPPROTO_ESP:
 		default:
 			return IPPROTO_NONE;
 		}
 		}
 	/**
 	 * Returns the length of the header in bytes.
 	 */
 	uint16 Length() const
 		{
 		switch ( type ) {
 		case IPPROTO_IPV6:
 			return 40;
 		case IPPROTO_HOPOPTS:
 		case IPPROTO_DSTOPTS:
 		case IPPROTO_ROUTING:
 			return 8 + 8 * ((ip6_ext*)data)->ip6e_len;
 		case IPPROTO_FRAGMENT:
 			return 8;
 		case IPPROTO_AH:
 			return 8 + 4 * ((ip6_ext*)data)->ip6e_len;
 		case IPPROTO_ESP:
 			return 8; //encrypted payload begins after 8 bytes
 		default:
 			return 0;
 		}
 		}
 	/**
 	 * Returns the RFC 1700 et seq. IANA assigned number for the header.
 	 */
 	uint8 Type() const { return type; }
 	/**
 	 * Returns pointer to the start of where header structure resides in memory.
 	 */
 	const u_char* Data() const { return data; }
 	/**
 	 * Returns the script-layer record representation of the header.
 	 */
 	RecordVal* BuildRecordVal(VectorVal* chain = 0) const;
 protected:
 	uint8 type;
 	const u_char* data;
 };
 class IPv6_Hdr_Chain {
 public:
 	/**
 	 * Initializes the header chain from an IPv6 header structure.
 	 */
 	IPv6_Hdr_Chain(const struct ip6_hdr* ip6) { Init(ip6, false); }
 	~IPv6_Hdr_Chain()
 		{ for ( size_t i = 0; i < chain.size(); ++i ) delete chain[i]; }
 	/**
 	 * Returns the number of headers in the chain.
 	 */
 	size_t Size() const { return chain.size(); }
 	/**
 	 * Returns the sum of the length of all headers in the chain in bytes.
 	 */
 	uint16 TotalLength() const { return length; }
 	/**
 	 * Accesses the header at the given location in the chain.
 	 */
 	const IPv6_Hdr* operator[](const size_t i) const { return chain[i]; }
 	/**
 	 * Returns whether the header chain indicates a fragmented packet.
 	 */
 	bool IsFragment() const
 		{ return chain[chain.size()-1]->Type() == IPPROTO_FRAGMENT; }
 	/**
 	 * Returns pointer to fragment header structure if the chain contains one.
 	 */
 	const struct ip6_frag* GetFragHdr() const
 		{ return IsFragment() ?
 				(const struct ip6_frag*)chain[chain.size()-1]->Data(): 0; }
 	/**
 	 * If the header chain is a fragment, returns the offset in number of bytes
 	 * relative to the start of the Fragmentable Part of the original packet.
 	 */
 	uint16 FragOffset() const
 		{ return IsFragment() ?
 				(ntohs(GetFragHdr()->ip6f_offlg) & 0xfff8) : 0; }
 	/**
 	 * If the header chain is a fragment, returns the identification field.
 	 */
 	uint32 ID() const
 		{ return IsFragment() ?	ntohl(GetFragHdr()->ip6f_ident) : 0; }
 	/**
 	 * If the header chain is a fragment, returns the M (more fragments) flag.
 	 */
 	int MF() const
 		{ return IsFragment() ?
 				(ntohs(GetFragHdr()->ip6f_offlg) & 0x0001) != 0 : 0; }
 	/**
 	 * Returns a vector of ip6_ext_hdr RecordVals that includes script-layer
 	 * representation of all extension headers in the chain.
 	 */
 	VectorVal* BuildVal() const;
 protected:
 	// for access to protected ctor that changes next header values that
 	// point to a fragment
 	friend class FragReassembler;
 	/**
 	 * Initializes the header chain from an IPv6 header structure, and replaces
 	 * the first next protocol pointer field that points to a fragment header.
 	 */
 	IPv6_Hdr_Chain(const struct ip6_hdr* ip6, uint16 next)
 		{ Init(ip6, true, next); }
 	void Init(const struct ip6_hdr* ip6, bool set_next, uint16 next = 0);
 	vector<IPv6_Hdr*> chain;
 	uint16 length; // The summation of all header lengths in the chain in bytes.
 };
 class IP_Hdr {
 public:
 	IP_Hdr(const u_char* p, bool arg_del)
 		: ip4(0), ip6(0), del(arg_del), ip6_hdrs(0)
 		{
 		if ( ((const struct ip*)p)->ip_v == 4 )
 			ip4 = (const struct ip*)p;
 		else if ( ((const struct ip*)p)->ip_v == 6 )
 			{
 			ip6 = (const struct ip6_hdr*)p;
 			ip6_hdrs = new IPv6_Hdr_Chain(ip6);
 			}
 		else
 			{
 			if ( arg_del )
 				delete [] p;
 			reporter->InternalError("bad IP version in IP_Hdr ctor");
 			}
 		}
 	IP_Hdr(const struct ip* arg_ip4, bool arg_del)
-		: ip4(arg_ip4), ip6(0), del(arg_del)
+		: ip4(arg_ip4), ip6(0), del(arg_del), ip6_hdrs(0)
 		{
 		}
-	IP_Hdr(const struct ip6_hdr* arg_ip6, bool arg_del)
+	IP_Hdr(const struct ip6_hdr* arg_ip6, bool arg_del,
-		: ip4(0), ip6(arg_ip6), del(arg_del)
+	       const IPv6_Hdr_Chain* c = 0)
 		: ip4(0), ip6(arg_ip6), del(arg_del),
 		  ip6_hdrs(c ? c : new IPv6_Hdr_Chain(ip6))
 		{
 		}
 	~IP_Hdr()
 		{
 		if ( ip6 )
 			delete ip6_hdrs;
 		if ( del )
 			{
 			if ( ip4 )
@ -31,56 +242,123 @@ public:
 		}
 	const struct ip* IP4_Hdr() const	{ return ip4; }
 	const struct ip6_hdr* IP6_Hdr() const	{ return ip6; }
 	IPAddr SrcAddr() const
 		{ return ip4 ? IPAddr(ip4->ip_src) : IPAddr(ip6->ip6_src); }
 	IPAddr DstAddr() const
 		{ return ip4 ? IPAddr(ip4->ip_dst) : IPAddr(ip6->ip6_dst); }
-	//TODO: needs adapting/replacement for IPv6 support
+	/**
-	uint16 ID4() const	{ return ip4 ? ip4->ip_id : 0; }
+	 * Returns a pointer to the payload of the IP packet, usually an
-
+	 * upper-layer protocol.
 	 */
 	const u_char* Payload() const
 		{
 		if ( ip4 )
 			return ((const u_char*) ip4) + ip4->ip_hl * 4;
 		else
-			return ((const u_char*) ip6) + 40;
+			return ((const u_char*) ip6) + ip6_hdrs->TotalLength();
 		}
 	/**
 	 * Returns the length of the IP packet's payload (length of packet minus
 	 * header length or, for IPv6, also minus length of all extension headers).
 	 */
 	uint16 PayloadLen() const
 		{
 		if ( ip4 )
 			return ntohs(ip4->ip_len) - ip4->ip_hl * 4;
 		else
-			return ntohs(ip6->ip6_plen);
+			return ntohs(ip6->ip6_plen) + 40 - ip6_hdrs->TotalLength();
 		}
-	uint16 TotalLen() const
+	/**
-		{
+	 * Returns the length of the IP packet (length of headers and payload).
-		if ( ip4 )
+	 */
-			return ntohs(ip4->ip_len);
+	uint32 TotalLen() const
-		else
+		{ return ip4 ? ntohs(ip4->ip_len) : ntohs(ip6->ip6_plen) + 40; }
 			return ntohs(ip6->ip6_plen) + 40;
 		}
-	uint16 HdrLen() const	{ return ip4 ? ip4->ip_hl * 4 : 40; }
+	/**
 	 * Returns length of IP packet header (includes extension headers for IPv6).
 	 */
 	uint16 HdrLen() const
 		{ return ip4 ? ip4->ip_hl * 4 : ip6_hdrs->TotalLength(); }
 	/**
 	 * For IPv6 header chains, returns the type of the last header in the chain.
 	 */
 	uint8 LastHeader() const
 		{ return ip4 ? IPPROTO_RAW :
 				((*ip6_hdrs)[ip6_hdrs->Size()-1])->Type(); }
 	/**
 	 * Returns the protocol type of the IP packet's payload, usually an
 	 * upper-layer protocol.  For IPv6, this returns the last (extension)
 	 * header's Next Header value.
 	 */
 	unsigned char NextProto() const
-		{ return ip4 ? ip4->ip_p : ip6->ip6_nxt; }
+		{ return ip4 ? ip4->ip_p :
 				((*ip6_hdrs)[ip6_hdrs->Size()-1])->NextHdr(); }
 	unsigned char TTL() const
 		{ return ip4 ? ip4->ip_ttl : ip6->ip6_hlim; }
-	uint16 FragField() const
+
-		{ return ntohs(ip4 ? ip4->ip_off : 0); }
+	bool IsFragment() const
 		{ return ip4 ? (ntohs(ip4->ip_off) & 0x3fff) != 0 :
 				ip6_hdrs->IsFragment(); }
 	/**
 	 * Returns the fragment packet's offset in relation to the original
 	 * packet in bytes.
 	 */
 	uint16 FragOffset() const
 		{ return ip4 ? (ntohs(ip4->ip_off) & 0x1fff) * 8 :
 				ip6_hdrs->FragOffset(); }
 	/**
 	 * Returns the fragment packet's identification field.
 	 */
 	uint32 ID() const
 		{ return ip4 ? ntohs(ip4->ip_id) : ip6_hdrs->ID(); }
 	/**
 	 * Returns whether a fragment packet's "More Fragments" field is set.
 	 */
 	int MF() const
 		{ return ip4 ? (ntohs(ip4->ip_off) & 0x2000) != 0 : ip6_hdrs->MF(); }
 	/**
 	 * Returns whether a fragment packet's "Don't Fragment" field is set.
 	 * Note that IPv6 has no such field.
 	 */
 	int DF() const
-		{ return ip4 ? ((ntohs(ip4->ip_off) & IP_DF) != 0) : 0; }
+		{ return ip4 ? ((ntohs(ip4->ip_off) & 0x4000) != 0) : 0; }
-	uint16 IP_ID() const
+
-		{ return ip4 ? (ntohs(ip4->ip_id)) : 0; }
+	/**
 	 * Returns number of IP headers in packet (includes IPv6 extension headers).
 	 */
 	size_t NumHeaders() const
 		{ return ip4 ? 1 : ip6_hdrs->Size(); }
 	/**
 	 * Returns an ip_hdr or ip6_hdr_chain RecordVal.
 	 */
 	RecordVal* BuildIPHdrVal() const;
 	/**
 	 * Returns a pkt_hdr RecordVal, which includes not only the IP header, but
 	 * also upper-layer (tcp/udp/icmp) headers.
 	 */
 	RecordVal* BuildPktHdrVal() const;
 private:
 	const struct ip* ip4;
 	const struct ip6_hdr* ip6;
 	bool del;
 	const IPv6_Hdr_Chain* ip6_hdrs;
 };
 #endif
--- a/src/IPAddr.cc
+++ b/src/IPAddr.cc
@ -6,6 +6,7 @@
 #include "Reporter.h"
 #include "Conn.h"
 #include "DPM.h"
 #include "bro_inet_ntop.h"
 const uint8_t IPAddr::v4_mapped_prefix[12] = { 0, 0, 0, 0,
                                               0, 0, 0, 0,
@ -159,7 +160,7 @@ string IPAddr::AsString() const
 		{
 		char s[INET_ADDRSTRLEN];
-		if ( inet_ntop(AF_INET, &in6.s6_addr[12], s, INET_ADDRSTRLEN) == NULL )
+		if ( ! bro_inet_ntop(AF_INET, &in6.s6_addr[12], s, INET_ADDRSTRLEN) )
 			return "<bad IPv4 address conversion";
 		else
 			return s;
@ -168,7 +169,7 @@ string IPAddr::AsString() const
 		{
 		char s[INET6_ADDRSTRLEN];
-		if ( inet_ntop(AF_INET6, in6.s6_addr, s, INET6_ADDRSTRLEN) == NULL )
+		if ( ! bro_inet_ntop(AF_INET6, in6.s6_addr, s, INET6_ADDRSTRLEN) )
 			return "<bad IPv6 address conversion";
 		else
 			return s;
--- a/src/Net.cc
+++ b/src/Net.cc
@ -42,7 +42,6 @@ extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
 PList(PktSrc) pkt_srcs;
 // FIXME: We should really merge PktDumper and PacketDumper.
 // It's on my to-do [Robin].
 PktDumper* pkt_dumper = 0;
 int reading_live = 0;
--- a/src/PacketFilter.cc
+++ b/src/PacketFilter.cc
@ -71,9 +71,7 @@ bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
 	if ( ip.NextProto() == IPPROTO_TCP && f.tcp_flags )
 		{
 		// Caution! The packet sanity checks have not been performed yet
-		const struct ip* ip4 = ip.IP4_Hdr();
+		int ip_hdr_len = ip.HdrLen();
 		int ip_hdr_len = ip4->ip_hl * 4;
 		len -= ip_hdr_len;	// remove IP header
 		caplen -= ip_hdr_len;
@ -82,8 +80,7 @@ bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
 			// Packet too short, will be dropped anyway.
 			return false;
-		const struct tcphdr* tp =
+		const struct tcphdr* tp = (const struct tcphdr*) ip.Payload();
 			(const struct tcphdr*) ((u_char*) ip4 + ip_hdr_len);
 		if ( tp->th_flags & f.tcp_flags )
 			 // At least one of the flags is set, so don't drop
--- a/src/PacketSort.cc
+++ b/src/PacketSort.cc
@ -28,12 +28,15 @@ PacketSortElement::PacketSortElement(PktSrc* arg_src,
 		const struct ip* ip = (const struct ip*) (pkt + hdr_size);
 		if ( ip->ip_v == 4 )
 			ip_hdr = new IP_Hdr(ip, false);
-		else
+		else if ( ip->ip_v == 6 )
 			ip_hdr = new IP_Hdr((const struct ip6_hdr*) ip, false);
 		else
 			// Weird will be generated later in NetSessions::NextPacket.
 			return;
 		if ( ip_hdr->NextProto() == IPPROTO_TCP &&
 		      // Note: can't sort fragmented packets
-		     (ip_hdr->FragField() & 0x3fff) == 0 )
+		     ( ! ip_hdr->IsFragment() ) )
 			{
 			tcp_offset = hdr_size + ip_hdr->HdrLen();
 			if ( caplen >= tcp_offset + sizeof(struct tcphdr) )
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@ -186,6 +186,7 @@
 #include "LogMgr.h"
 #include "Reporter.h"
 #include "IPAddr.h"
 #include "bro_inet_ntop.h"
 extern "C" {
 #include "setsignal.h"
@ -464,7 +465,7 @@ static inline const char* ip2a(uint32 ip)
 	addr.s_addr = htonl(ip);
-	return inet_ntop(AF_INET, &addr, buffer, 32);
+	return bro_inet_ntop(AF_INET, &addr, buffer, 32);
 	}
 static pid_t child_pid = 0;
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -333,7 +333,8 @@ void NetSessions::NextPacketSecondary(double /* t */, const struct pcap_pkthdr*
 			StringVal* cmd_val =
 				new StringVal(sp->Event()->Filter());
 			args->append(cmd_val);
-			args->append(BuildHeader(ip));
+			IP_Hdr ip_hdr(ip, false);
 			args->append(ip_hdr.BuildPktHdrVal());
 			// ### Need to queue event here.
 			try
 				{
@ -401,18 +402,6 @@ int NetSessions::CheckConnectionTag(Connection* conn)
 	return 1;
 	}
 static bool looks_like_IPv4_packet(int len, const struct ip* ip_hdr)
 	{
 	if ( (unsigned int) len < sizeof(struct ip) )
 		return false;
 	if ( ip_hdr->ip_v == 4 && ntohs(ip_hdr->ip_len) == len )
 		return true;
 	else
 		return false;
 	}
 void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 				const IP_Hdr* ip_hdr, const u_char* const pkt,
 				int hdr_size)
@ -442,18 +431,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	if ( discarder && discarder->NextPacket(ip_hdr, len, caplen) )
 		return;
 	int proto = ip_hdr->NextProto();
 	if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP &&
 	     proto != IPPROTO_ICMP && proto != IPPROTO_ICMPV6)
 		{
 		dump_this_packet = 1;
 		return;
 		}
 	FragReassembler* f = 0;
 	uint32 frag_field = ip_hdr->FragField();
-	if ( (frag_field & 0x3fff) != 0 )
+	if ( ip_hdr->IsFragment() )
 		{
 		dump_this_packet = 1;	// always record fragments
@ -464,12 +444,12 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 			// Don't try to reassemble, that's doomed.
 			// Discard all except the first fragment (which
 			// is useful in analyzing header-only traces)
-			if ( (frag_field & 0x1fff) != 0 )
+			if ( ip_hdr->FragOffset() != 0 )
 				return;
 			}
 		else
 			{
-			f = NextFragment(t, ip_hdr, pkt + hdr_size, frag_field);
+			f = NextFragment(t, ip_hdr, pkt + hdr_size);
 			const IP_Hdr* ih = f->ReassembledPkt();
 			if ( ! ih )
 				// It didn't reassemble into anything yet.
@ -486,21 +466,27 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	len -= ip_hdr_len;	// remove IP header
 	caplen -= ip_hdr_len;
-	uint32 min_hdr_len = (proto == IPPROTO_TCP) ?  sizeof(struct tcphdr) :
+	// We stop building the chain when seeing IPPROTO_ESP so if it's 
-		(proto == IPPROTO_UDP ? sizeof(struct udphdr) : ICMP_MINLEN);
+	// there, it's always the last.
-
+	if ( ip_hdr->LastHeader() == IPPROTO_ESP )
 	if ( len < min_hdr_len )
 		{
-		Weird("truncated_header", hdr, pkt);
+		dump_this_packet = 1;
-		if ( f )
+		if ( esp_packet )
-			Remove(f);	// ###
+			{
 			val_list* vl = new val_list();
 			vl->append(ip_hdr->BuildPktHdrVal());
 			mgr.QueueEvent(esp_packet, vl);
 			}
 		Remove(f);
 		// Can't do more since upper-layer payloads are going to be encrypted.
 		return;
 		}
-	if ( caplen < min_hdr_len )
+
 	int proto = ip_hdr->NextProto();
 	if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt) )
 		{
-		Weird("internally_truncated_header", hdr, pkt);
+		Remove(f);
 		if ( f )
 			Remove(f);	// ###
 		return;
 		}
@ -565,7 +551,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		}
 	default:
-		Weird(fmt("unknown_protocol %d", proto), hdr, pkt);
+		Weird(fmt("unknown_protocol_%d", proto), hdr, pkt);
 		Remove(f);
 		return;
 	}
@ -591,6 +578,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		if ( consistent < 0 )
 			{
 			delete h;
 			Remove(f);
 			return;
 			}
@ -609,10 +597,11 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		}
 	if ( ! conn )
 		{
 		delete h;
-
+		Remove(f);
 	if ( ! conn )
 		return;
 		}
 	int record_packet = 1;	// whether to record the packet at all
 	int record_content = 1;	// whether to record its data
@ -620,8 +609,17 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	int is_orig = (id.src_addr == conn->OrigAddr()) &&
 			(id.src_port == conn->OrigPort());
-	if ( new_packet && ip4 )
+	Val* pkt_hdr_val = 0;
-		conn->Event(new_packet, 0, BuildHeader(ip4));
+
 	if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 )
 		{
 		pkt_hdr_val = ip_hdr->BuildPktHdrVal();
 		conn->Event(ipv6_ext_headers, 0, pkt_hdr_val);
 		}
 	if ( new_packet )
 		conn->Event(new_packet, 0,
 		        pkt_hdr_val ? pkt_hdr_val->Ref() : ip_hdr->BuildPktHdrVal());
 	conn->NextPacket(t, is_orig, ip_hdr, len, caplen, data,
 				record_packet, record_content,
@ -631,7 +629,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		{
 		// Above we already recorded the fragment in its entirety.
 		f->DeleteTimer();
-		Remove(f);	// ###
+		Remove(f);
 		}
 	else if ( record_packet )
@ -647,115 +645,43 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		}
 	}
-Val* NetSessions::BuildHeader(const struct ip* ip)
+bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
                                   const struct pcap_pkthdr* h, const u_char* p)
 	{
-	static RecordType* pkt_hdr_type = 0;
+	uint32 min_hdr_len = 0;
 	static RecordType* ip_hdr_type = 0;
 	static RecordType* tcp_hdr_type = 0;
 	static RecordType* udp_hdr_type = 0;
 	static RecordType* icmp_hdr_type;
 	if ( ! pkt_hdr_type )
 		{
 		pkt_hdr_type = internal_type("pkt_hdr")->AsRecordType();
 		ip_hdr_type = internal_type("ip_hdr")->AsRecordType();
 		tcp_hdr_type = internal_type("tcp_hdr")->AsRecordType();
 		udp_hdr_type = internal_type("udp_hdr")->AsRecordType();
 		icmp_hdr_type = internal_type("icmp_hdr")->AsRecordType();
 		}
 	RecordVal* pkt_hdr = new RecordVal(pkt_hdr_type);
 	RecordVal* ip_hdr = new RecordVal(ip_hdr_type);
 	int ip_hdr_len = ip->ip_hl * 4;
 	int ip_pkt_len = ntohs(ip->ip_len);
 	ip_hdr->Assign(0, new Val(ip->ip_hl * 4, TYPE_COUNT));
 	ip_hdr->Assign(1, new Val(ip->ip_tos, TYPE_COUNT));
 	ip_hdr->Assign(2, new Val(ip_pkt_len, TYPE_COUNT));
 	ip_hdr->Assign(3, new Val(ntohs(ip->ip_id), TYPE_COUNT));
 	ip_hdr->Assign(4, new Val(ip->ip_ttl, TYPE_COUNT));
 	ip_hdr->Assign(5, new Val(ip->ip_p, TYPE_COUNT));
 	ip_hdr->Assign(6, new AddrVal(ip->ip_src.s_addr));
 	ip_hdr->Assign(7, new AddrVal(ip->ip_dst.s_addr));
 	pkt_hdr->Assign(0, ip_hdr);
 	// L4 header.
 	const u_char* data = ((const u_char*) ip) + ip_hdr_len;
 	int proto = ip->ip_p;
 	switch ( proto ) {
 	case IPPROTO_TCP:
-		{
+		min_hdr_len = sizeof(struct tcphdr);
 		const struct tcphdr* tp = (const struct tcphdr*) data;
 		RecordVal* tcp_hdr = new RecordVal(tcp_hdr_type);
 		int tcp_hdr_len = tp->th_off * 4;
 		int data_len = ip_pkt_len - ip_hdr_len - tcp_hdr_len;
 		tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
 		tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
 		tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
 		tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
 		tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
 		tcp_hdr->Assign(5, new Val(data_len, TYPE_COUNT));
 		tcp_hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
 		tcp_hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
 		pkt_hdr->Assign(1, tcp_hdr);
 		break;
 		}
 	case IPPROTO_UDP:
-		{
+		min_hdr_len = sizeof(struct udphdr);
 		const struct udphdr* up = (const struct udphdr*) data;
 		RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
 		udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
 		udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
 		udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
 		pkt_hdr->Assign(2, udp_hdr);
 		break;
 		}
 	case IPPROTO_ICMP:
 		{
 		const struct icmp* icmpp = (const struct icmp *) data;
 		RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
 		icmp_hdr->Assign(0, new Val(icmpp->icmp_type, TYPE_COUNT));
 		pkt_hdr->Assign(3, icmp_hdr);
 		break;
 		}
 	case IPPROTO_ICMPV6:
 		{
 		const struct icmp* icmpp = (const struct icmp *) data;
 		RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
 		icmp_hdr->Assign(0, new Val(icmpp->icmp_type, TYPE_COUNT));
 		pkt_hdr->Assign(3, icmp_hdr);
 		break;
 		}
 	default:
-		{
+		// Use for all other packets.
-		// This is not a protocol we understand.
+		min_hdr_len = ICMP_MINLEN;
 		}
 	}
-	return pkt_hdr;
+	if ( len < min_hdr_len )
 		{
 		Weird("truncated_header", h, p);
 		return true;
 		}
 	if ( caplen < min_hdr_len )
 		{
 		Weird("internally_truncated_header", h, p);
 		return true;
 		}
 	return false;
 	}
 FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
-					const u_char* pkt, uint32 frag_field)
+					const u_char* pkt)
 	{
-	uint32 frag_id = ntohs(ip->ID4());	// we actually could skip conv.
+	uint32 frag_id = ip->ID();
 	ListVal* key = new ListVal(TYPE_ANY);
 	key->Append(new AddrVal(ip->SrcAddr()));
@ -769,7 +695,7 @@ FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
 	FragReassembler* f = fragments.Lookup(h);
 	if ( ! f )
 		{
-		f = new FragReassembler(this, ip, pkt, frag_field, h, t);
+		f = new FragReassembler(this, ip, pkt, h, t);
 		fragments.Insert(h, f);
 		Unref(key);
 		return f;
@ -778,7 +704,7 @@ FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
 	delete h;
 	Unref(key);
-	f->AddFragment(t, ip, pkt, frag_field);
+	f->AddFragment(t, ip, pkt);
 	return f;
 	}
@ -937,6 +863,7 @@ void NetSessions::Remove(Connection* c)
 void NetSessions::Remove(FragReassembler* f)
 	{
 	if ( ! f ) return;
 	HashKey* k = f->Key();
 	if ( ! k )
 		reporter->InternalError("fragment block not in dictionary");
--- a/src/Sessions.h
+++ b/src/Sessions.h
@ -79,7 +79,7 @@ public:
 	// Returns a reassembled packet, or nil if there are still
 	// some missing fragments.
 	FragReassembler* NextFragment(double t, const IP_Hdr* ip,
-				const u_char* pkt, uint32 frag_field);
+				const u_char* pkt);
 	int Get_OS_From_SYN(struct os_type* retval,
 			uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS,
@ -190,10 +190,11 @@ protected:
 	void Internal(const char* msg, const struct pcap_pkthdr* hdr,
 			const u_char* pkt);
-	// Builds a record encapsulating a packet.  This should be more
+	// For a given protocol, checks whether the header's length as derived
-	// general, including the equivalent of a union of tcp/udp/icmp
+	// from lower-level headers or the length actually captured is less
-	// headers .
+	// than that protocol's minimum header size.
-	Val* BuildHeader(const struct ip* ip);
+	bool CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
 	                      const struct pcap_pkthdr* hdr, const u_char* pkt);
 	CompositeHash* ch;
 	PDict(Connection) tcp_conns;
--- a/src/TCP.cc
+++ b/src/TCP.cc
@ -1203,7 +1203,7 @@ RecordVal* TCP_Analyzer::BuildOSVal(int is_orig, const IP_Hdr* ip,
 	if ( ip->HdrLen() > 20 )
 		quirks |= QUIRK_IPOPT;
-	if ( ip->IP_ID() == 0 )
+	if ( ip->ID() == 0 )
 		quirks |= QUIRK_ZEROID;
 	if ( tcp->th_seq == 0 )
@ -1942,11 +1942,11 @@ int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
 	{
 	if ( ++num_pkts == 1 )
 		{ // First packet.
-		last_id = ntohs(ip->ID4());
+		last_id = ip->ID();
 		return 0;
 		}
-	int id = ntohs(ip->ID4());
+	int id = ip->ID();
 	if ( id == last_id )
 		{
--- a/src/bro.bif
+++ b/src/bro.bif
@ -2049,6 +2049,39 @@ function is_v6_addr%(a: addr%): bool
 #
 # ===========================================================================
 ## Converts the *data* field of :bro:type:`ip6_routing` records that have
 ## *rtype* of 0 into a set of addresses.
 ##
 ## s: The *data* field of an :bro:type:`ip6_routing` record that has
 ##    an *rtype* of 0.
 ##
 ## Returns: The set of addresses contained in the routing header data.
 function routing0_data_to_addrs%(s: string%): addr_set
 	%{
 	BroType* index_type = base_type(TYPE_ADDR);
 	TypeList* set_index = new TypeList(index_type);
 	set_index->Append(index_type);
 	TableVal* tv = new TableVal(new SetType(set_index, 0));
 	int len = s->Len();
 	const u_char* bytes = s->Bytes();
 	bytes += 4; // go past 32-bit reserved field
 	len -= 4;
 	if ( ( len % 16 ) != 0 )
 		reporter->Warning("Bad ip6_routing data length: %d", s->Len());
 	while ( len > 0 )
 		{
 		IPAddr a(IPAddr::IPv6, (const uint32*) bytes, IPAddr::Network);
 		tv->Assign(new AddrVal(a), 0);
 		bytes += 16;
 		len -= 16;
 		}
 	return tv;
 	%}
 ## Converts a :bro:type:`addr` to a :bro:type:`index_vec`.
 ##
 ## a: The address to convert into a vector of counts.
--- a/src/bro_inet_ntop.c
+++ b/src/bro_inet_ntop.c
@ -0,0 +1,189 @@
 /* Taken/adapted from FreeBSD 9.0.0 inet_ntop.c (CVS revision 1.3.16.1.2.1) */
 /*
 * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 * Copyright (c) 1996-1999 by Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #include "bro_inet_ntop.h"
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <arpa/nameser.h>
 #include <errno.h>
 #include <stdio.h>
 #include <string.h>
 /*%
 * WARNING: Don't even consider trying to compile this on a system where
 * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
 */
 static const char *bro_inet_ntop4(const u_char *src, char *dst, socklen_t size);
 static const char *bro_inet_ntop6(const u_char *src, char *dst, socklen_t size);
 /* char *
 * bro_inet_ntop(af, src, dst, size)
 *	convert a network format address to presentation format.
 * return:
 *	pointer to presentation format address (`dst'), or NULL (see errno).
 * author:
 *	Paul Vixie, 1996.
 */
 const char *
 bro_inet_ntop(int af, const void * __restrict src, char * __restrict dst,
    socklen_t size)
 {
 	switch (af) {
 	case AF_INET:
 		return (bro_inet_ntop4(src, dst, size));
 	case AF_INET6:
 		return (bro_inet_ntop6(src, dst, size));
 	default:
 		errno = EAFNOSUPPORT;
 		return (NULL);
 	}
 	/* NOTREACHED */
 }
 /* const char *
 * bro_inet_ntop4(src, dst, size)
 *	format an IPv4 address
 * return:
 *	`dst' (as a const)
 * notes:
 *	(1) uses no statics
 *	(2) takes a u_char* not an in_addr as input
 * author:
 *	Paul Vixie, 1996.  Modified by Jon Siwek, 2012, to replace strlcpy
 */
 static const char *
 bro_inet_ntop4(const u_char *src, char *dst, socklen_t size)
 {
 	static const char fmt[] = "%u.%u.%u.%u";
 	char tmp[sizeof "255.255.255.255"];
 	int l;
 	l = snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2], src[3]);
 	if (l <= 0 || (socklen_t) l >= size) {
 		errno = ENOSPC;
 		return (NULL);
 	}
 	strncpy(dst, tmp, size - 1);
 	dst[size - 1] = 0;
 	return (dst);
 }
 /* const char *
 * bro_inet_ntop6(src, dst, size)
 *	convert IPv6 binary address into presentation (printable) format
 * author:
 *	Paul Vixie, 1996.  Modified by Jon Siwek, 2012, for IPv4-translated format
 */
 static const char *
 bro_inet_ntop6(const u_char *src, char *dst, socklen_t size)
 {
 	/*
 	 * Note that int32_t and int16_t need only be "at least" large enough
 	 * to contain a value of the specified size.  On some systems, like
 	 * Crays, there is no such thing as an integer variable with 16 bits.
 	 * Keep this in mind if you think this function should have been coded
 	 * to use pointer overlays.  All the world's not a VAX.
 	 */
 	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"], *tp;
 	struct { int base, len; } best, cur;
 	u_int words[NS_IN6ADDRSZ / NS_INT16SZ];
 	int i;
 	/*
 	 * Preprocess:
 	 *	Copy the input (bytewise) array into a wordwise array.
 	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
 	 */
 	memset(words, '\0', sizeof words);
 	for (i = 0; i < NS_IN6ADDRSZ; i++)
 		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
 	best.base = -1;
 	best.len = 0;
 	cur.base = -1;
 	cur.len = 0;
 	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
 		if (words[i] == 0) {
 			if (cur.base == -1)
 				cur.base = i, cur.len = 1;
 			else
 				cur.len++;
 		} else {
 			if (cur.base != -1) {
 				if (best.base == -1 || cur.len > best.len)
 					best = cur;
 				cur.base = -1;
 			}
 		}
 	}
 	if (cur.base != -1) {
 		if (best.base == -1 || cur.len > best.len)
 			best = cur;
 	}
 	if (best.base != -1 && best.len < 2)
 		best.base = -1;
 	/*
 	 * Format the result.
 	 */
 	tp = tmp;
 	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
 		/* Are we inside the best run of 0x00's? */
 		if (best.base != -1 && i >= best.base &&
 		    i < (best.base + best.len)) {
 			if (i == best.base)
 				*tp++ = ':';
 			continue;
 		}
 		/* Are we following an initial run of 0x00s or any real hex? */
 		if (i != 0)
 			*tp++ = ':';
 		/* Is this address an encapsulated IPv4? */
 		if (i == 6 && best.base == 0 && (best.len == 6 ||
 		    (best.len == 7 && words[7] != 0x0001) ||
 		    (best.len == 5 && words[5] == 0xffff) ||
 		    (best.len == 4 && words[4] == 0xffff && words[5] == 0))) {
 			if (!bro_inet_ntop4(src+12, tp, sizeof tmp - (tp - tmp)))
 				return (NULL);
 			tp += strlen(tp);
 			break;
 		}
 		tp += sprintf(tp, "%x", words[i]);
 	}
 	/* Was it a trailing run of 0x00's? */
 	if (best.base != -1 && (best.base + best.len) ==
 	    (NS_IN6ADDRSZ / NS_INT16SZ))
 		*tp++ = ':';
 	*tp++ = '\0';
 	/*
 	 * Check for overflow, copy, and we're done.
 	 */
 	if ((socklen_t)(tp - tmp) > size) {
 		errno = ENOSPC;
 		return (NULL);
 	}
 	strcpy(dst, tmp);
 	return (dst);
 }
--- a/src/bro_inet_ntop.h
+++ b/src/bro_inet_ntop.h
@ -0,0 +1,18 @@
 #ifndef BRO_INET_NTOP_H
 #define BRO_INET_NTOP_H
 #ifdef __cplusplus
 extern "C" {
 #endif
 #include <sys/socket.h>
 const char * 
 bro_inet_ntop(int af, const void * __restrict src, char * __restrict dst,
    socklen_t size);
 #ifdef __cplusplus
 }
 #endif
 #endif
--- a/src/event.bif
+++ b/src/event.bif
@ -454,11 +454,30 @@ event expected_connection_seen%(c: connection, a: count%);
 ##
 ## c: The connection the packet is part of.
 ##
-## p: Informattion from the header of the packet that triggered the event.
+## p: Information from the header of the packet that triggered the event.
 ##
 ## .. bro:see:: tcp_packet packet_contents
 event new_packet%(c: connection, p: pkt_hdr%);
 ## Generated for every IPv6 packet that contains extension headers.
 ## This is potentially an expensive event to handle if analysiing IPv6 traffic
 ## that happens to utilize extension headers frequently.
 ##
 ## c: The connection the packet is part of.
 ##
 ## p: Information from the header of the packet that triggered the event.
 ##
 ## .. bro:see:: new_packet tcp_packet packet_contents esp_packet
 event ipv6_ext_headers%(c: connection, p: pkt_hdr%);
 ## Generated for any packets using the IPv6 Encapsulating Security Payload (ESP)
 ## extension header.
 ##
 ## p: Information from the header of the packet that triggered the event.
 ##
 ## .. bro:see:: new_packet tcp_packet ipv6_ext_headers
 event esp_packet%(p: pkt_hdr%);
 ## Generated for every packet that has non-empty transport-layer payload. This is a
 ## very low-level and expensive event that should be avoided when at all possible.
 ## It's usually  infeasible to handle when processing even medium volumes of
--- a/src/main.cc
+++ b/src/main.cc
@ -837,7 +837,7 @@ int main(int argc, char** argv)
 	if ( dns_type != DNS_PRIME )
 		net_init(interfaces, read_files, netflows, flow_files,
-			writefile, "tcp or udp or icmp",
+			writefile, "",
 			secondary_path->Filter(), do_watchdog);
 	BroFile::SetDefaultRotation(log_rotate_interval, log_max_size);
--- a/testing/btest/.gitignore
+++ b/testing/btest/.gitignore
@ -1,3 +1,4 @@
 .tmp
 .btest.failed.dat
 diag.log
 coverage.log
--- a/testing/btest/Baseline/bifs.install_src_addr_filter/output
+++ b/testing/btest/Baseline/bifs.install_src_addr_filter/output
@ -0,0 +1,8 @@
 [orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
--- a/testing/btest/Baseline/bifs.routing0_data_to_addrs/output
+++ b/testing/btest/Baseline/bifs.routing0_data_to_addrs/output
@ -0,0 +1,4 @@
 {
 2001:78:1:32::1,
 2001:78:1:32::2
 }
--- a/testing/btest/Baseline/core.discarder/output
+++ b/testing/btest/Baseline/core.discarder/output
@ -0,0 +1,24 @@
 ################ IP Discarder ################
 [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 ################ TCP Discarder ################
 [orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 ################ UDP Discarder ################
 [orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp]
 [orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp]
 [orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp]
 [orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp]
 [orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp]
 ################ ICMP Discarder ################
 Discard icmp packet: [icmp_type=3]
--- a/testing/btest/Baseline/core.ipv6-frag/dns.log
+++ b/testing/btest/Baseline/core.ipv6-frag/dns.log
@ -0,0 +1,9 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	dns
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	QR	AA	TC	RD	RA	Z	answers	TTLs
 #types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	bool	count	vector[string]	vector[interval]
 1331084278.438444	UWkUyAuUGXf	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51850	2607:f740:b::f93	53	udp	3903	txtpadding_323.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	F	T	F	T	F	0	This TXT record should be ignored	1.000000
 1331084293.592245	arKYeMETxOg	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	F	T	F	T	F	0	This TXT record should be ignored	1.000000
--- a/testing/btest/Baseline/core.ipv6-frag/output
+++ b/testing/btest/Baseline/core.ipv6-frag/output
@ -0,0 +1,5 @@
 ip6=[class=0, flow=0, len=81, nxt=17, hlim=64, src=2001:470:1f11:81f:d138:5f55:6d4:1fe2, dst=2607:f740:b::f93, exts=[]], udp = [sport=51850/udp, dport=53/udp, ulen=81]
 ip6=[class=0, flow=0, len=331, nxt=17, hlim=53, src=2607:f740:b::f93, dst=2001:470:1f11:81f:d138:5f55:6d4:1fe2, exts=[]], udp = [sport=53/udp, dport=51850/udp, ulen=331]
 ip6=[class=0, flow=0, len=82, nxt=17, hlim=64, src=2001:470:1f11:81f:d138:5f55:6d4:1fe2, dst=2607:f740:b::f93, exts=[]], udp = [sport=51851/udp, dport=53/udp, ulen=82]
 ip6=[class=0, flow=0, len=82, nxt=17, hlim=64, src=2001:470:1f11:81f:d138:5f55:6d4:1fe2, dst=2607:f740:b::f93, exts=[]], udp = [sport=51851/udp, dport=53/udp, ulen=82]
 ip6=[class=0, flow=0, len=3238, nxt=17, hlim=53, src=2607:f740:b::f93, dst=2001:470:1f11:81f:d138:5f55:6d4:1fe2, exts=[]], udp = [sport=53/udp, dport=51851/udp, ulen=3238]
--- a/testing/btest/Baseline/core.ipv6_esp/output
+++ b/testing/btest/Baseline/core.ipv6_esp/output
@ -0,0 +1,120 @@
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::2, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::3, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::4, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::5, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=116, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::12, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=10, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::13, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=11, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=100, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::14, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=12, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::15, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=13, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=104, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::22, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=20, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::23, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=21, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=88, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::24, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=22, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=1]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=2]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=3]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=4]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=5]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=6]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=7]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=8]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=9]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=76, nxt=50, hlim=64, src=3ffe::1, dst=3ffe::25, exts=[[id=50, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=[spi=23, seq=10]]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
--- a/testing/btest/Baseline/core.ipv6_ext_headers/output
+++ b/testing/btest/Baseline/core.ipv6_ext_headers/output
@ -0,0 +1 @@
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=59, nxt=0, hlim=64, src=2001:4f8:4:7:2e0:81ff:fe52:ffff, dst=2001:4f8:4:7:2e0:81ff:fe52:9a6b, exts=[[id=0, hopopts=[nxt=43, len=0, options=[[otype=1, len=4, data=\0\0\0\0]]], dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>], [id=43, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=[nxt=17, len=4, rtype=0, segleft=2, data=\0\0\0\0 ^A\0x\0^A\02\0\0\0\0\0\0\0^A ^A\0x\0^A\02\0\0\0\0\0\0\0^B], fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>]]], tcp=<uninitialized>, udp=[sport=53/udp, dport=53/udp, ulen=11], icmp=<uninitialized>]
--- a/testing/btest/Baseline/language.ipv6-literals/output
+++ b/testing/btest/Baseline/language.ipv6-literals/output
@ -15,8 +15,10 @@ aaaa::ffff
 192.168.1.100
 ffff::c0a8:164
 ::192.168.1.100
 ::ffff:0:192.168.1.100
 805b:2d9d:dc28::fc57:d4c8:1fff
 aaaa::bbbb
 aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222
 aaaa:bbbb:cccc:dddd:eeee:ffff:1:2222
 aaaa:bbbb:cccc:dddd:eeee:ffff:0:2222
 aaaa:bbbb:cccc:dddd:eeee::2222
--- a/testing/btest/Makefile
+++ b/testing/btest/Makefile
@ -6,13 +6,13 @@ all: cleanup btest-verbose coverage
 # Showing all tests.
 btest-verbose:
-	@$(BTEST) -f $(DIAG)
+	@$(BTEST) -j 5 -f $(DIAG)
 brief: cleanup btest-brief coverage
 # Brief output showing only failed tests.
 btest-brief:
-	@$(BTEST) -b -f $(DIAG)
+	@$(BTEST) -j 5 -b -f $(DIAG)
 coverage:
 	@../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts
--- a/testing/btest/Traces/ext_hdr_hbh_routing.trace
+++ b/testing/btest/Traces/ext_hdr_hbh_routing.trace
--- a/testing/btest/Traces/icmp-unreach.trace
+++ b/testing/btest/Traces/icmp-unreach.trace
--- a/testing/btest/Traces/ip6_esp.trace
+++ b/testing/btest/Traces/ip6_esp.trace
--- a/testing/btest/Traces/ipv6-fragmented-dns.trace
+++ b/testing/btest/Traces/ipv6-fragmented-dns.trace
--- a/testing/btest/bifs/install_src_addr_filter.test
+++ b/testing/btest/bifs/install_src_addr_filter.test
@ -0,0 +1,13 @@
 # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT >output
 # @TEST-EXEC: btest-diff output
 event bro_init()
    {
    install_src_addr_filter(141.142.220.118, TH_SYN, 100.0);
    }
 event new_packet(c: connection, p: pkt_hdr)
    {
    if ( p?$tcp && p$ip$src == 141.142.220.118 )
            print c$id;
    }
--- a/testing/btest/bifs/routing0_data_to_addrs.test
+++ b/testing/btest/bifs/routing0_data_to_addrs.test
@ -0,0 +1,10 @@
 # @TEST-EXEC: bro -C -b -r $TRACES/ext_hdr_hbh_routing.trace %INPUT >output
 # @TEST-EXEC: btest-diff output
 event ipv6_ext_headers(c: connection, p: pkt_hdr)
 	{
 	for ( h in p$ip6$exts )
 		if ( p$ip6$exts[h]$id == IPPROTO_ROUTING )
 			if ( p$ip6$exts[h]$routing$rtype == 0 )
 				print routing0_data_to_addrs(p$ip6$exts[h]$routing$data);
 	}
--- a/testing/btest/core/discarder.bro
+++ b/testing/btest/core/discarder.bro
@ -0,0 +1,92 @@
 # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-ip.bro >output
 # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-tcp.bro >>output
 # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-udp.bro >>output
 # @TEST-EXEC: bro -C -r $TRACES/icmp-unreach.trace discarder-icmp.bro >>output
 # @TEST-EXEC: btest-diff output
@TEST-START-FILE discarder-ip.bro
 event bro_init()
 	{
 	print "################ IP Discarder ################";
 	}
 function discarder_check_ip(p: pkt_hdr): bool
    {
    if ( p?$ip && p$ip$src == 141.142.220.118 && p$ip$dst == 208.80.152.2 )
        return F;
 	return T;
    }
 event new_packet(c: connection, p: pkt_hdr)
    {
    print c$id;
    }
@TEST-END-FILE
@TEST-START-FILE discarder-tcp.bro
 event bro_init()
    {
    print "################ TCP Discarder ################";
    }
 function discarder_check_tcp(p: pkt_hdr, d: string): bool
    {
    if ( p$tcp$flags == TH_SYN )
        return F;
    return T;
    }
 event new_packet(c: connection, p: pkt_hdr)
    {
    if ( p?$tcp )
        print c$id;
    }
@TEST-END-FILE
@TEST-START-FILE discarder-udp.bro
 event bro_init()
    {
    print "################ UDP Discarder ################";
    }
 function discarder_check_udp(p: pkt_hdr, d: string): bool
    {
    if ( p?$ip6 )
        return F;
    return T;
    }
 event new_packet(c: connection, p: pkt_hdr)
    {
    if ( p?$udp )
        print c$id;
    }
@TEST-END-FILE
@TEST-START-FILE discarder-icmp.bro
 event bro_init()
    {
    print "################ ICMP Discarder ################";
    }
 function discarder_check_icmp(p: pkt_hdr): bool
    {
    print fmt("Discard icmp packet: %s", p$icmp);
    return T;
    }
 event new_packet(c: connection, p: pkt_hdr)
    {
    if ( p?$icmp )
        print c$id;
    }
@TEST-END-FILE
--- a/testing/btest/core/ipv6-frag.test
+++ b/testing/btest/core/ipv6-frag.test
@ -0,0 +1,9 @@
 # @TEST-EXEC: bro -r $TRACES/ipv6-fragmented-dns.trace %INPUT >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: btest-diff dns.log
 event new_packet(c: connection, p: pkt_hdr)
 	{
 	if ( p?$ip6 && p?$ udp )
 		print fmt("ip6=%s, udp = %s", p$ip6, p$udp);
 	}
--- a/testing/btest/core/ipv6_esp.test
+++ b/testing/btest/core/ipv6_esp.test
@ -0,0 +1,10 @@
 # @TEST-EXEC: bro -r $TRACES/ip6_esp.trace %INPUT >output
 # @TEST-EXEC: btest-diff output
 # Just check that the event is raised correctly for a packet containing
 # ESP extension headers.
 event esp_packet(p: pkt_hdr)
 	{
 	print p;
 	}
--- a/testing/btest/core/ipv6_ext_headers.test
+++ b/testing/btest/core/ipv6_ext_headers.test
@ -0,0 +1,10 @@
 # @TEST-EXEC: bro -C -b -r $TRACES/ext_hdr_hbh_routing.trace %INPUT >output
 # @TEST-EXEC: btest-diff output
 # Just check that the event is raised correctly for a packet containing
 # extension headers.
 event ipv6_ext_headers(c: connection, p: pkt_hdr)
 	{
 	print p;
 	}
--- a/testing/btest/language/ipv6-literals.bro
+++ b/testing/btest/language/ipv6-literals.bro
@ -20,11 +20,13 @@ v[|v|] = [aaaa:0::ffff];
 v[|v|] = [::ffff:192.168.1.100];
 v[|v|] = [ffff::192.168.1.100];
 v[|v|] = [::192.168.1.100];
 v[|v|] = [::ffff:0:192.168.1.100];
 v[|v|] = [805B:2D9D:DC28::FC57:212.200.31.255];
 v[|v|] = [0xaaaa::bbbb];
 v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222];
 v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:ffff:1:2222];
 v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:ffff:0:2222];
 v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:0:0:2222];
 for (i in v)
    print v[i];
		`@ -1 +1 @@`
			`Subproject commit 3034da8f082b61157e234237993ffd7a95be6e62`				`Subproject commit dd1a3a95f07082efcd5274b21104a038d523d132`
		`@ -1 +1 @@`
			`Subproject commit f53bcb2b492cb0db3dd288384040abc2ab711767`				`Subproject commit a59b35bdada8f70fb1a59bf7bb2976534c86d378`
		`@ -1 +1 @@`
			`Subproject commit a08ca90727c5c4b90aa8633106ec33a5cf7378d4`				`Subproject commit a4046c2f79b6ab0ac19ae8be94b79c6ce578bea7`
		`@ -1 +1 @@`
			`Subproject commit 954538514d71983e7ef3f0e109960466096e1c1d`				`Subproject commit 66e9e87beebce983fa0f479b0284d5690b0290d4`
		`@ -1 +1 @@`
			`Subproject commit dd0e5953da08125fa4a772cf9f27e291a8fb868f`				`Subproject commit dc78a3ebf5cd8fbd1b3034990e36fa21a51d1a19`
		`@ -1 +1 @@`
			`Subproject commit 2cc105577044a2d214124568f3f2496ed2ccbb34`				`Subproject commit 550ab2c8d95b1d3e18e40a903152650e6c7a3c45`
		`@ -0,0 +1 @@`
							[ip=<uninitialized>, ip6=[class=0, flow=0, len=59, nxt=0, hlim=64, src=2001:4f8:4:7:2e0:81ff:fe52:ffff, dst=2001:4f8:4:7:2e0:81ff:fe52:9a6b, exts=[[id=0, hopopts=[nxt=43, len=0, options=[[otype=1, len=4, data=\0\0\0\0]]], dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>], [id=43, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=[nxt=17, len=4, rtype=0, segleft=2, data=\0\0\0\0 ^A\0x\0^A\02\0\0\0\0\0\0\0^A ^A\0x\0^A\02\0\0\0\0\0\0\0^B], fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>]]], tcp=<uninitialized>, udp=[sport=53/udp, dport=53/udp, ulen=11], icmp=<uninitialized>]