Merge remote-tracking branch 'ekoyle/add-protocol-pbb'

* ekoyle/add-protocol-pbb: Update seemingly-unrelated btests Use a default analyzer Simplify PBB analyzer by using Ethernet analyzer Add btest for PBB and update baselines Use constexpr instead of #define Cleanup and add customer MAC addresses Add PBB (802.1ah) support
2025-10-02 14:48:21 +00:00 · 2023-02-19 19:23:50 -07:00 · 2023-02-19 19:23:50 -07:00 · c30b8f90ef
commit c30b8f90ef
parent eb05122e74 d17329c95b
22 changed files with 339 additions and 173 deletions
--- a/42
+++ b/42
@ -1,3 +1,45 @@
 6.0.0-dev.75 | 2023-02-19 19:23:50 -0700
  * Update seemingly-unrelated btests (Eldon Koyle, Corelight)
    For some reason, the plugin order appears to have changed in the files btests.
  * Use a default analyzer (Eldon Koyle, Corelight)
    Use a default analyzer instead of hardcoding a protocol number.
  * Simplify PBB analyzer by using Ethernet analyzer (Eldon Koyle, Corelight)
    After the first 4 bytes, this traffic actually just looks like Ethernet.
    Rather than try to re-implement the ethernet analyzer, just check the
    length, skip 4 bytes, and pass it on.
  * Add btest for PBB and update baselines (Eldon Koyle, Corelight)
  * Use constexpr instead of #define (Eldon Koyle, Corelight)
  * Cleanup and add customer MAC addresses (Eldon Koyle, Corelight)
     * Put c-dst/c-src in l2_dst/l2_src
     * use #define instead of const int and move to PBB.h
  * Add PBB (802.1ah) support (Eldon Koyle, Corelight)
  * Bump Spicy and spicy-plugin to latest releases. (Benjamin Bannier, Corelight)
    (cherry picked from commit f27a9a62648e642cc2f6aa267d067d529487eb21)
  * Trim diffed output in test `spicy.spicy-dump`. (Benjamin Bannier, Corelight)
    We previously would include any and all output from stderr during
    compilation in the test baseline. Depending on the used compiler this
    output may contain C++ compilation warnings which are uninteresting for
    the behavior under test.
    (cherry picked from commit 5221edf474e6a8cb05a1470318c7d8007857f202)
  * Update cmake and zeek-aux submodules [nomail] (Tim Wojtulewicz, Corelight)
 6.0.0-dev.64 | 2023-02-17 17:36:40 +0100
  * TableVal: Propagate &on_change attribute through copy() (Arne Welzel, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-6.0.0-dev.64
+6.0.0-dev.75
--- a/scripts/base/packet-protocols/load.zeek
+++ b/scripts/base/packet-protocols/load.zeek
@ -15,6 +15,7 @@
@load base/packet-protocols/pppoe
@load base/packet-protocols/vlan
@load base/packet-protocols/mpls
@load base/packet-protocols/pbb
@load base/packet-protocols/vntag
@load base/packet-protocols/udp
@load base/packet-protocols/tcp
--- a/scripts/base/packet-protocols/ethernet/main.zeek
+++ b/scripts/base/packet-protocols/ethernet/main.zeek
@ -12,6 +12,7 @@ export {
 event zeek_init() &priority=20
 	{
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8847, PacketAnalyzer::ANALYZER_MPLS);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x88E7, PacketAnalyzer::ANALYZER_PBB);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x0800, PacketAnalyzer::ANALYZER_IP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x86DD, PacketAnalyzer::ANALYZER_IP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x0806, PacketAnalyzer::ANALYZER_ARP);
@ -21,4 +22,4 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x9100, PacketAnalyzer::ANALYZER_VLAN);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8926, PacketAnalyzer::ANALYZER_VNTAG);
-	}
+	}
--- a/scripts/base/packet-protocols/pbb/load.zeek
+++ b/scripts/base/packet-protocols/pbb/load.zeek
@ -0,0 +1 @@
@load ./main
--- a/scripts/base/packet-protocols/pbb/main.zeek
+++ b/scripts/base/packet-protocols/pbb/main.zeek
@ -0,0 +1,6 @@
 module PacketAnalyzer::PBB;
 export {
 	## Default analyzer
 	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_ETHERNET &redef;
 }
--- a/scripts/base/packet-protocols/vlan/main.zeek
+++ b/scripts/base/packet-protocols/vlan/main.zeek
@ -3,6 +3,7 @@ module PacketAnalyzer::VLAN;
 event zeek_init() &priority=20
 	{
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8847, PacketAnalyzer::ANALYZER_MPLS);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x88E7, PacketAnalyzer::ANALYZER_PBB);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x0800, PacketAnalyzer::ANALYZER_IP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x86DD, PacketAnalyzer::ANALYZER_IP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x0806, PacketAnalyzer::ANALYZER_ARP);
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@ -11,6 +11,7 @@ add_subdirectory(ieee802_11_radio)
 add_subdirectory(fddi)
 add_subdirectory(nflog)
 add_subdirectory(mpls)
 add_subdirectory(pbb)
 add_subdirectory(linux_sll)
 add_subdirectory(linux_sll2)
--- a/src/packet_analysis/protocol/pbb/CMakeLists.txt
+++ b/src/packet_analysis/protocol/pbb/CMakeLists.txt
@ -0,0 +1,8 @@
 include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 zeek_plugin_begin(PacketAnalyzer PBB)
 zeek_plugin_cc(PBB.cc Plugin.cc)
 zeek_plugin_end()
--- a/src/packet_analysis/protocol/pbb/PBB.cc
+++ b/src/packet_analysis/protocol/pbb/PBB.cc
@ -0,0 +1,22 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #include "zeek/packet_analysis/protocol/pbb/PBB.h"
 using namespace zeek::packet_analysis::PBB;
 constexpr int PBB_LEN = 18;
 constexpr int PBB_C_DST_OFF = 4;
 PBBAnalyzer::PBBAnalyzer() : zeek::packet_analysis::Analyzer("PBB") { }
 bool PBBAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	{
 	if ( PBB_LEN >= len )
 		{
 		Weird("truncated_PBB_header", packet);
 		return false;
 		}
 	// pass this on to the ethernet analyzer
 	return ForwardPacket(len - PBB_C_DST_OFF, data + PBB_C_DST_OFF, packet);
 	}
--- a/src/packet_analysis/protocol/pbb/PBB.h
+++ b/src/packet_analysis/protocol/pbb/PBB.h
@ -0,0 +1,25 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #pragma once
 #include "zeek/packet_analysis/Analyzer.h"
 #include "zeek/packet_analysis/Component.h"
 namespace zeek::packet_analysis::PBB
 	{
 class PBBAnalyzer : public Analyzer
 	{
 public:
 	PBBAnalyzer();
 	~PBBAnalyzer() override = default;
 	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
 		{
 		return std::make_shared<PBBAnalyzer>();
 		}
 	};
 	}
--- a/src/packet_analysis/protocol/pbb/Plugin.cc
+++ b/src/packet_analysis/protocol/pbb/Plugin.cc
@ -0,0 +1,27 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #include "zeek/plugin/Plugin.h"
 #include "zeek/packet_analysis/Component.h"
 #include "zeek/packet_analysis/protocol/pbb/PBB.h"
 namespace zeek::plugin::Zeek_PBB
 	{
 class Plugin : public zeek::plugin::Plugin
 	{
 public:
 	zeek::plugin::Configuration Configure()
 		{
 		AddComponent(new zeek::packet_analysis::Component(
 			"PBB", zeek::packet_analysis::PBB::PBBAnalyzer::Instantiate));
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::PBB";
 		config.description = "PBB packet analyzer";
 		return config;
 		}
 	} plugin;
 	}
--- a/testing/btest/Baseline/core.pbb/conn.log
+++ b/testing/btest/Baseline/core.pbb/conn.log
@ -0,0 +1,11 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.199.249.11	49601	10.199.249.12	49416	tcp	-	0.002215	209	0	SF	-	-	0	ShADFaf	5	421	3	132	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@ -58,6 +58,8 @@ scripts/base/init-bare.zeek
      scripts/base/packet-protocols/vlan/main.zeek
    scripts/base/packet-protocols/mpls/__load__.zeek
      scripts/base/packet-protocols/mpls/main.zeek
    scripts/base/packet-protocols/pbb/__load__.zeek
      scripts/base/packet-protocols/pbb/main.zeek
    scripts/base/packet-protocols/vntag/__load__.zeek
      scripts/base/packet-protocols/vntag/main.zeek
    scripts/base/packet-protocols/udp/__load__.zeek
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -58,6 +58,8 @@ scripts/base/init-bare.zeek
      scripts/base/packet-protocols/vlan/main.zeek
    scripts/base/packet-protocols/mpls/__load__.zeek
      scripts/base/packet-protocols/mpls/main.zeek
    scripts/base/packet-protocols/pbb/__load__.zeek
      scripts/base/packet-protocols/pbb/main.zeek
    scripts/base/packet-protocols/vntag/__load__.zeek
      scripts/base/packet-protocols/vntag/main.zeek
    scripts/base/packet-protocols/udp/__load__.zeek
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -640,6 +640,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34887, PacketAnalyzer::ANALYZER_MPLS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34916, PacketAnalyzer::ANALYZER_PPPOE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35047, PacketAnalyzer::ANALYZER_PBB)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@ -699,6 +700,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34887, PacketAnalyzer::ANALYZER_MPLS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34916, PacketAnalyzer::ANALYZER_PPPOE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 35047, PacketAnalyzer::ANALYZER_PBB)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
@ -1106,6 +1108,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/packet_analysis.bif, <...>/packet_analysis.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/paths, <...>/paths.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/patterns, <...>/patterns.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/pbb, <...>/pbb) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/pe, <...>/pe) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/plugins, <...>/plugins) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/pop3, <...>/pop3) -> -1
@ -1493,6 +1496,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/packet_analysis.bif, <...>/packet_analysis.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/paths, <...>/paths.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/patterns, <...>/patterns.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/pbb, <...>/pbb) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/pe, <...>/pe) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/plugins, <...>/plugins) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/pop3, <...>/pop3) -> (-1, <no content>)
@ -2205,6 +2209,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34887, PacketAnalyzer::ANALYZER_MPLS))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34916, PacketAnalyzer::ANALYZER_PPPOE))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35047, PacketAnalyzer::ANALYZER_PBB))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP))
@ -2264,6 +2269,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34887, PacketAnalyzer::ANALYZER_MPLS))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34916, PacketAnalyzer::ANALYZER_PPPOE))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 35047, PacketAnalyzer::ANALYZER_PBB))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN))
@ -2671,6 +2677,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/packet_analysis.bif, <...>/packet_analysis.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/paths, <...>/paths.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/patterns, <...>/patterns.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/pbb, <...>/pbb)
 0.000000   MetaHookPre   LoadFile(0, base<...>/pe, <...>/pe)
 0.000000   MetaHookPre   LoadFile(0, base<...>/plugins, <...>/plugins)
 0.000000   MetaHookPre   LoadFile(0, base<...>/pop3, <...>/pop3)
@ -3058,6 +3065,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/packet_analysis.bif, <...>/packet_analysis.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/paths, <...>/paths.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/patterns, <...>/patterns.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/pbb, <...>/pbb)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/pe, <...>/pe)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/plugins, <...>/plugins)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/pop3, <...>/pop3)
@ -3769,6 +3777,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34887, PacketAnalyzer::ANALYZER_MPLS)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34916, PacketAnalyzer::ANALYZER_PPPOE)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 35047, PacketAnalyzer::ANALYZER_PBB)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP)
@ -3828,6 +3837,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 34887, PacketAnalyzer::ANALYZER_MPLS)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 34916, PacketAnalyzer::ANALYZER_PPPOE)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 35047, PacketAnalyzer::ANALYZER_PBB)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)
@ -4247,6 +4257,7 @@
 0.000000 | HookLoadFile  base<...>/packet_analysis.bif <...>/packet_analysis.bif.zeek
 0.000000 | HookLoadFile  base<...>/paths <...>/paths.zeek
 0.000000 | HookLoadFile  base<...>/patterns <...>/patterns.zeek
 0.000000 | HookLoadFile  base<...>/pbb <...>/pbb
 0.000000 | HookLoadFile  base<...>/pe <...>/pe
 0.000000 | HookLoadFile  base<...>/plugins <...>/plugins
 0.000000 | HookLoadFile  base<...>/pop3 <...>/pop3
@ -4634,6 +4645,7 @@
 0.000000 | HookLoadFileExtended base<...>/packet_analysis.bif <...>/packet_analysis.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/paths <...>/paths.zeek
 0.000000 | HookLoadFileExtended base<...>/patterns <...>/patterns.zeek
 0.000000 | HookLoadFileExtended base<...>/pbb <...>/pbb
 0.000000 | HookLoadFileExtended base<...>/pe <...>/pe
 0.000000 | HookLoadFileExtended base<...>/plugins <...>/plugins
 0.000000 | HookLoadFileExtended base<...>/pop3 <...>/pop3
--- a/testing/btest/Baseline/scripts.base.files.x509.files/files.log
+++ b/testing/btest/Baseline/scripts.base.files.x509.files/files.log
@ -7,10 +7,10 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256
 #types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string
-XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	-	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	-	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
-XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	-	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	-	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@ -189,6 +189,7 @@ XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX x509_certificate
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
@ -201,13 +202,13 @@ XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_ext_subject_alternative_name
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_state_remove
 XXXXXXXXXX.XXXXXX file_new
 XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX x509_certificate
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
@ -217,7 +218,6 @@ XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_state_remove
 XXXXXXXXXX.XXXXXX ssl_handshake_message
 XXXXXXXXXX.XXXXXX ssl_handshake_message
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
--- a/testing/btest/Traces/pbb.pcap
+++ b/testing/btest/Traces/pbb.pcap
--- a/testing/btest/core/pbb.zeek
+++ b/testing/btest/core/pbb.zeek
@ -0,0 +1,4 @@
 # @TEST-EXEC: zeek -b -r $TRACES/pbb.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
@load base/protocols/conn