inlining of Zeek script functions

src/CMakeLists.txt

@@ -322,6 +322,12 @@ set(MAIN_SRCS
     plugin/Manager.cc
     plugin/Plugin.cc
 
+    script_opt/Expr.cc
+    script_opt/Inline.cc
+    script_opt/ProfileFunc.cc
+    script_opt/ScriptOpt.cc
+    script_opt/Stmt.cc
+
     nb_dns.c
     digest.h
 )

src/Expr.cc

@@ -39,7 +39,12 @@ const char* expr_name(BroExprTag t)
 		"$=", "in", "<<>>",
 		"()", "function()", "event", "schedule",
 		"coerce", "record_coerce", "table_coerce", "vector_coerce",
-		"sizeof", "cast", "is", "[:]="
+		"sizeof", "cast", "is", "[:]=",
+
+#include "zeek/script_opt/ExprOpt-Names.h"
+
+		"nop",
+
 	};
 
 	if ( int(t) >= NUM_EXPRS )
@@ -74,6 +79,12 @@ ListExpr* Expr::AsListExpr()
 	return (ListExpr*) this;
 	}
 
+ListExprPtr Expr::AsListExprPtr()
+	{
+	CHECK_TAG(tag, EXPR_LIST, "ExprVal::AsListExpr", expr_name)
+	return {NewRef{}, (ListExpr*) this};
+	}
+
 const NameExpr* Expr::AsNameExpr() const
 	{
 	CHECK_TAG(tag, EXPR_NAME, "ExprVal::AsNameExpr", expr_name)
@@ -86,6 +97,18 @@ NameExpr* Expr::AsNameExpr()
 	return (NameExpr*) this;
 	}
 
+const ConstExpr* Expr::AsConstExpr() const
+	{
+	CHECK_TAG(tag, EXPR_CONST, "ExprVal::AsConstExpr", expr_name)
+	return (const ConstExpr*) this;
+	}
+
+const CallExpr* Expr::AsCallExpr() const
+	{
+	CHECK_TAG(tag, EXPR_CALL, "ExprVal::AsCallExpr", expr_name)
+	return (const CallExpr*) this;
+	}
+
 const AssignExpr* Expr::AsAssignExpr() const
 	{
 	CHECK_TAG(tag, EXPR_ASSIGN, "ExprVal::AsAssignExpr", expr_name)
@@ -110,6 +133,18 @@ IndexExpr* Expr::AsIndexExpr()
 	return (IndexExpr*) this;
 	}
 
+const EventExpr* Expr::AsEventExpr() const
+	{
+	CHECK_TAG(tag, EXPR_EVENT, "ExprVal::AsEventExpr", expr_name)
+	return (const EventExpr*) this;
+	}
+
+EventExprPtr Expr::AsEventExprPtr()
+	{
+	CHECK_TAG(tag, EXPR_EVENT, "ExprVal::AsEventExpr", expr_name)
+	return {NewRef{}, (EventExpr*) this};
+	}
+
 bool Expr::CanAdd() const
 	{
 	return false;
@@ -244,7 +279,7 @@ void Expr::ExprError(const char msg[])
 
 void Expr::RuntimeError(const std::string& msg) const
 	{
-	reporter->ExprRuntimeError(this, "%s", msg.data());
+	reporter->ExprRuntimeError(Original(), "%s", msg.data());
 	}
 
 void Expr::RuntimeErrorWithCallStack(const std::string& msg) const
@@ -252,14 +287,15 @@ void Expr::RuntimeErrorWithCallStack(const std::string& msg) const
 	auto rcs = render_call_stack();
 
 	if ( rcs.empty() )
-		reporter->ExprRuntimeError(this, "%s", msg.data());
+		reporter->ExprRuntimeError(Original(), "%s", msg.data());
 	else
 		{
 		ODesc d;
 		d.SetShort();
 		Describe(&d);
-		reporter->RuntimeError(GetLocationInfo(), "%s, expression: %s, call stack: %s",
+		reporter->RuntimeError(Original()->GetLocationInfo(),
-		                             msg.data(), d.Description(), rcs.data());
+					"%s, expression: %s, call stack: %s",
+					msg.data(), d.Description(), rcs.data());
 		}
 	}
 
@@ -928,12 +964,23 @@ void BinaryExpr::PromoteType(TypeTag t, bool is_vector)
 	{
 	PromoteOps(t);
 
-	if ( is_vector)
+	if ( is_vector )
 		SetType(make_intrusive<VectorType>(base_type(t)));
 	else
 		SetType(base_type(t));
 	}
 
+void BinaryExpr::PromoteForInterval(ExprPtr& op)
+	{
+	if ( is_vector(op1) || is_vector(op2) )
+		SetType(make_intrusive<VectorType>(base_type(TYPE_INTERVAL)));
+	else
+		SetType(base_type(TYPE_INTERVAL));
+
+	if ( op->GetType()->Tag() != TYPE_DOUBLE )
+		op = make_intrusive<ArithCoerceExpr>(op, TYPE_DOUBLE);
+	}
+
 CloneExpr::CloneExpr(ExprPtr arg_op)
 	: UnaryExpr(EXPR_CLONE, std::move(arg_op))
 	{
@@ -1416,12 +1463,7 @@ TimesExpr::TimesExpr(ExprPtr arg_op1, ExprPtr arg_op2)
 	if ( bt1 == TYPE_INTERVAL || bt2 == TYPE_INTERVAL )
 		{
 		if ( IsArithmetic(bt1) || IsArithmetic(bt2) )
-			{
+			PromoteForInterval(IsArithmetic(bt1) ? op1 : op2);
-			if ( is_vector(op1) && is_vector(op2) )
-				SetType(make_intrusive<VectorType>(base_type(TYPE_INTERVAL)));
-			else
-				PromoteType(TYPE_INTERVAL, is_vector(op1) || is_vector(op2) );
-			}
 		else
 			ExprError("multiplication with interval requires arithmetic operand");
 		}
@@ -1457,12 +1499,7 @@ DivideExpr::DivideExpr(ExprPtr arg_op1, ExprPtr arg_op2)
 	if ( bt1 == TYPE_INTERVAL || bt2 == TYPE_INTERVAL )
 		{
 		if ( IsArithmetic(bt1) || IsArithmetic(bt2) )
-			{
+			PromoteForInterval(IsArithmetic(bt1) ? op1 : op2);
-			if ( is_vector(op1) && is_vector(op2) )
-				SetType(make_intrusive<VectorType>(base_type(TYPE_INTERVAL)));
-			else
-				PromoteType(TYPE_INTERVAL, is_vector(op1) || is_vector(op2));
-			}
 		else if ( bt1 == TYPE_INTERVAL && bt2 == TYPE_INTERVAL )
 			{
 			if ( is_vector(op1) || is_vector(op2) )
@@ -3153,7 +3190,8 @@ TraversalCode RecordConstructorExpr::Traverse(TraversalCallback* cb) const
 
 TableConstructorExpr::TableConstructorExpr(ListExprPtr constructor_list,
                                            std::unique_ptr<std::vector<AttrPtr>> arg_attrs,
-                                           TypePtr arg_type)
+                                           TypePtr arg_type,
+                                           AttributesPtr arg_attrs2)
 	: UnaryExpr(EXPR_TABLE_CONSTRUCTOR, std::move(constructor_list))
 	{
 	if ( IsError() )
@@ -3189,6 +3227,8 @@ TableConstructorExpr::TableConstructorExpr(ListExprPtr constructor_list,
 
 	if ( arg_attrs )
 		attrs = make_intrusive<Attributes>(std::move(*arg_attrs), type, false, false);
+	else
+		attrs = arg_attrs2;
 
 	const auto& indices = type->AsTableType()->GetIndices()->GetTypes();
 	const ExprPList& cle = op->AsListExpr()->Exprs();
@@ -3288,7 +3328,8 @@ void TableConstructorExpr::ExprDescribe(ODesc* d) const
 
 SetConstructorExpr::SetConstructorExpr(ListExprPtr constructor_list,
                                        std::unique_ptr<std::vector<AttrPtr>> arg_attrs,
-                                       TypePtr arg_type)
+                                       TypePtr arg_type,
+                                       AttributesPtr arg_attrs2)
 	: UnaryExpr(EXPR_SET_CONSTRUCTOR, std::move(constructor_list))
 	{
 	if ( IsError() )
@@ -3321,6 +3362,8 @@ SetConstructorExpr::SetConstructorExpr(ListExprPtr constructor_list,
 
 	if ( arg_attrs )
 		attrs = make_intrusive<Attributes>(std::move(*arg_attrs), type, false, false);
+	else
+		attrs = arg_attrs2;
 
 	const auto& indices = type->AsTableType()->GetIndices()->GetTypes();
 	ExprPList& cle = op->AsListExpr()->Exprs();

src/Expr.h

@@ -10,6 +10,7 @@
 
 #include "zeek/ZeekList.h"
 #include "zeek/IntrusivePtr.h"
+#include "zeek/StmtBase.h"
 #include "zeek/Timer.h"
 #include "zeek/Type.h"
 #include "zeek/EventHandler.h"
@@ -66,13 +67,19 @@ enum BroExprTag : int {
 	EXPR_CAST,
 	EXPR_IS,
 	EXPR_INDEX_SLICE_ASSIGN,
-#define NUM_EXPRS (int(EXPR_INDEX_SLICE_ASSIGN) + 1)
+
+#include "zeek/script_opt/ExprOpt-Enums.h"
+
+	EXPR_NOP,
+
+#define NUM_EXPRS (int(EXPR_NOP) + 1)
 };
 
 extern const char* expr_name(BroExprTag t);
 
 class ListExpr;
 class NameExpr;
+class ConstExpr;
 class IndexExpr;
 class AssignExpr;
 class CallExpr;
@@ -82,7 +89,7 @@ class Stmt;
 class Expr;
 using ExprPtr = IntrusivePtr<Expr>;
 using EventExprPtr = IntrusivePtr<EventExpr>;
-using ListExprPtr = IntrusivePtr<ListExpr>;
+using StmtPtr = IntrusivePtr<Stmt>;
 
 class Expr : public Obj {
 public:
@@ -99,6 +106,7 @@ public:
 	BroExprTag Tag() const	{ return tag; }
 
 	Expr* Ref()			{ zeek::Ref(this); return this; }
+	ExprPtr ThisPtr()		{ return {NewRef{}, this}; }
 
 	// Evaluates the expression and returns a corresponding Val*,
 	// or nil if the expression's value isn't fixed.
@@ -171,22 +179,26 @@ public:
 	void MarkParen()		{ paren = true; }
 	bool IsParen() const		{ return paren; }
 
-	const ListExpr* AsListExpr() const;
+#undef ACCESSORS
-	ListExpr* AsListExpr();
+#define ACCESSORS(ctype) \
+	const ctype* As ## ctype () const; \
+	ctype* As ## ctype (); \
+	IntrusivePtr<ctype> As ## ctype ## Ptr ();
 
-	const NameExpr* AsNameExpr() const;
+	ACCESSORS(ListExpr)
-	NameExpr* AsNameExpr();
+	ACCESSORS(NameExpr)
-
+	ACCESSORS(ConstExpr)
-	const AssignExpr* AsAssignExpr() const;
+	ACCESSORS(CallExpr)
-	AssignExpr* AsAssignExpr();
+	ACCESSORS(AssignExpr)
-
+	ACCESSORS(IndexExpr)
-	const IndexExpr* AsIndexExpr() const;
+	ACCESSORS(EventExpr)
-	IndexExpr* AsIndexExpr();
 
 	void Describe(ODesc* d) const override final;
 
 	virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
 
+#include "zeek/script_opt/ExprOpt-Public.h"
+
 protected:
 	Expr() = default;
 	explicit Expr(BroExprTag arg_tag);
@@ -211,6 +223,8 @@ protected:
 	BroExprTag tag;
 	TypePtr type;
 	bool paren;
+
+#include "zeek/script_opt/ExprOpt-Private.h"
 };
 
 class NameExpr final : public Expr {
@@ -226,6 +240,9 @@ public:
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	void ExprDescribe(ODesc* d) const override;
 
@@ -238,11 +255,15 @@ public:
 	explicit ConstExpr(ValPtr val);
 
 	Val* Value() const	{ return val.get(); }
+	ValPtr ValuePtr() const	{ return val; }
 
 	ValPtr Eval(Frame* f) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	void ExprDescribe(ODesc* d) const override;
 	ValPtr val;
@@ -261,6 +282,9 @@ public:
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	ExprPtr Inline(Inliner* inl) override;
+
 protected:
 	UnaryExpr(BroExprTag arg_tag, ExprPtr arg_op);
 
@@ -286,6 +310,9 @@ public:
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	ExprPtr Inline(Inliner* inl) override;
+
 protected:
 	BinaryExpr(BroExprTag arg_tag,
 	           ExprPtr arg_op1, ExprPtr arg_op2)
@@ -325,6 +352,11 @@ protected:
 	// operands and also set expression's type).
 	void PromoteType(TypeTag t, bool is_vector);
 
+	// Promote one of the operands to be "double" (if not already),
+	// to make it suitable for combining with the other "interval"
+	// operand, yielding an "interval" type.
+	void PromoteForInterval(ExprPtr& op);
+
 	void ExprDescribe(ODesc* d) const override;
 
 	ExprPtr op1;
@@ -336,6 +368,9 @@ public:
 	explicit CloneExpr(ExprPtr op);
 	ValPtr Eval(Frame* f) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@@ -347,12 +382,18 @@ public:
 	ValPtr Eval(Frame* f) const override;
 	ValPtr DoSingleEval(Frame* f, Val* v) const;
 	bool IsPure() const override;
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class ComplementExpr final : public UnaryExpr {
 public:
 	explicit ComplementExpr(ExprPtr op);
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@@ -361,6 +402,9 @@ class NotExpr final : public UnaryExpr {
 public:
 	explicit NotExpr(ExprPtr op);
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@@ -369,6 +413,9 @@ class PosExpr final : public UnaryExpr {
 public:
 	explicit PosExpr(ExprPtr op);
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@@ -377,6 +424,9 @@ class NegExpr final : public UnaryExpr {
 public:
 	explicit NegExpr(ExprPtr op);
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@@ -386,6 +436,9 @@ public:
 	explicit SizeExpr(ExprPtr op);
 	ValPtr Eval(Frame* f) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@@ -394,35 +447,53 @@ class AddExpr final : public BinaryExpr {
 public:
 	AddExpr(ExprPtr op1, ExprPtr op2);
 	void Canonicize() override;
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class AddToExpr final : public BinaryExpr {
 public:
 	AddToExpr(ExprPtr op1, ExprPtr op2);
 	ValPtr Eval(Frame* f) const override;
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class RemoveFromExpr final : public BinaryExpr {
 public:
 	RemoveFromExpr(ExprPtr op1, ExprPtr op2);
 	ValPtr Eval(Frame* f) const override;
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class SubExpr final : public BinaryExpr {
 public:
 	SubExpr(ExprPtr op1, ExprPtr op2);
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class TimesExpr final : public BinaryExpr {
 public:
 	TimesExpr(ExprPtr op1, ExprPtr op2);
 	void Canonicize() override;
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class DivideExpr final : public BinaryExpr {
 public:
 	DivideExpr(ExprPtr op1, ExprPtr op2);
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr AddrFold(Val* v1, Val* v2) const override;
 };
@@ -430,6 +501,9 @@ protected:
 class ModExpr final : public BinaryExpr {
 public:
 	ModExpr(ExprPtr op1, ExprPtr op2);
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class BoolExpr final : public BinaryExpr {
@@ -438,11 +512,17 @@ public:
 
 	ValPtr Eval(Frame* f) const override;
 	ValPtr DoSingleEval(Frame* f, ValPtr v1, Expr* op2) const;
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class BitExpr final : public BinaryExpr {
 public:
 	BitExpr(BroExprTag tag, ExprPtr op1, ExprPtr op2);
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class EqExpr final : public BinaryExpr {
@@ -450,6 +530,9 @@ public:
 	EqExpr(BroExprTag tag, ExprPtr op1, ExprPtr op2);
 	void Canonicize() override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v1, Val* v2) const override;
 };
@@ -458,6 +541,9 @@ class RelExpr final : public BinaryExpr {
 public:
 	RelExpr(BroExprTag tag, ExprPtr op1, ExprPtr op2);
 	void Canonicize() override;
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class CondExpr final : public Expr {
@@ -473,6 +559,10 @@ public:
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+	ExprPtr Inline(Inliner* inl) override;
+
 protected:
 	void ExprDescribe(ODesc* d) const override;
 
@@ -487,6 +577,9 @@ public:
 
 	void Assign(Frame* f, ValPtr v) override;
 	ExprPtr MakeLvalue() override;
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class AssignExpr : public BinaryExpr {
@@ -509,6 +602,9 @@ public:
 		op2 = std::move(e);
 		}
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	bool TypeCheck(const AttributesPtr& attrs = nullptr);
 	bool TypeCheckArithmetics(TypeTag bt1, TypeTag bt2);
@@ -522,6 +618,9 @@ public:
 	IndexSliceAssignExpr(ExprPtr op1,
 	                     ExprPtr op2, bool is_init);
 	ValPtr Eval(Frame* f) const override;
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class IndexExpr : public BinaryExpr {
@@ -546,6 +645,9 @@ public:
 
 	bool IsSlice() const { return is_slice; }
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v1, Val* v2) const override;
 
@@ -585,6 +687,9 @@ public:
 
 		return v;
 		}
+
+	// Optimization-related:
+	ExprPtr Duplicate() override;
 };
 
 class FieldExpr final : public UnaryExpr {
@@ -602,6 +707,9 @@ public:
 
 	ExprPtr MakeLvalue() override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v) const override;
 
@@ -621,6 +729,9 @@ public:
 
 	const char* FieldName() const	{ return field_name; }
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v) const override;
 
@@ -643,6 +754,9 @@ public:
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
 
@@ -655,7 +769,8 @@ class TableConstructorExpr final : public UnaryExpr {
 public:
 	TableConstructorExpr(ListExprPtr constructor_list,
 	                     std::unique_ptr<std::vector<AttrPtr>> attrs,
-	                     TypePtr arg_type = nullptr);
+	                     TypePtr arg_type = nullptr,
+			     AttributesPtr arg_attrs = nullptr);
 
 	[[deprecated("Remove in v4.1.  Use GetAttrs().")]]
 	Attributes* Attrs() { return attrs.get(); }
@@ -665,6 +780,9 @@ public:
 
 	ValPtr Eval(Frame* f) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
 
@@ -677,7 +795,8 @@ class SetConstructorExpr final : public UnaryExpr {
 public:
 	SetConstructorExpr(ListExprPtr constructor_list,
 	                   std::unique_ptr<std::vector<AttrPtr>> attrs,
-	                   TypePtr arg_type = nullptr);
+	                   TypePtr arg_type = nullptr,
+			   AttributesPtr arg_attrs = nullptr);
 
 	[[deprecated("Remove in v4.1.  Use GetAttrs().")]]
 	Attributes* Attrs() { return attrs.get(); }
@@ -687,6 +806,9 @@ public:
 
 	ValPtr Eval(Frame* f) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
 
@@ -702,6 +824,9 @@ public:
 
 	ValPtr Eval(Frame* f) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
 
@@ -717,6 +842,9 @@ public:
 	void EvalIntoAggregate(const zeek::Type* t, Val* aggr, Frame* f) const override;
 	bool IsRecordElement(TypeDecl* td) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	void ExprDescribe(ODesc* d) const override;
 
@@ -727,6 +855,9 @@ class ArithCoerceExpr final : public UnaryExpr {
 public:
 	ArithCoerceExpr(ExprPtr op, TypeTag t);
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr FoldSingleVal(Val* v, InternalTypeTag t) const;
 	ValPtr Fold(Val* v) const override;
@@ -737,6 +868,9 @@ public:
 	RecordCoerceExpr(ExprPtr op, RecordTypePtr r);
 	~RecordCoerceExpr() override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
 	ValPtr Fold(Val* v) const override;
@@ -752,6 +886,9 @@ public:
 	TableCoerceExpr(ExprPtr op, TableTypePtr r);
 	~TableCoerceExpr() override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@@ -761,6 +898,9 @@ public:
 	VectorCoerceExpr(ExprPtr op, VectorTypePtr v);
 	~VectorCoerceExpr() override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@@ -790,6 +930,10 @@ public:
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+	ExprPtr Inline(Inliner* inl) override;
+
 protected:
 	void ExprDescribe(ODesc* d) const override;
 
@@ -801,6 +945,9 @@ class InExpr final : public BinaryExpr {
 public:
 	InExpr(ExprPtr op1, ExprPtr op2);
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v1, Val* v2) const override;
 
@@ -820,6 +967,10 @@ public:
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+	ExprPtr Inline(Inliner* inl) override;
+
 protected:
 	void ExprDescribe(ODesc* d) const override;
 
@@ -843,6 +994,10 @@ public:
 
 	Scope* GetScope() const;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+	ExprPtr Inline(Inliner* inl) override;
+
 protected:
 	void ExprDescribe(ODesc* d) const override;
 
@@ -865,6 +1020,10 @@ public:
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+	ExprPtr Inline(Inliner* inl) override;
+
 protected:
 	void ExprDescribe(ODesc* d) const override;
 
@@ -896,6 +1055,10 @@ public:
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+	ExprPtr Inline(Inliner* inl) override;
+
 protected:
 	ValPtr AddSetInit(const zeek::Type* t, ValPtr aggr) const;
 
@@ -914,6 +1077,9 @@ class CastExpr final : public UnaryExpr {
 public:
 	CastExpr(ExprPtr op, TypePtr t);
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Eval(Frame* f) const override;
 	void ExprDescribe(ODesc* d) const override;
@@ -923,6 +1089,9 @@ class IsExpr final : public UnaryExpr {
 public:
 	IsExpr(ExprPtr op, TypePtr t);
 
+	// Optimization-related:
+	ExprPtr Duplicate() override;
+
 protected:
 	ValPtr Fold(Val* v) const override;
 	void ExprDescribe(ODesc* d) const override;
@@ -931,6 +1100,10 @@ private:
 	TypePtr t;
 };
 
+
+#include "zeek/script_opt/ExprOpt-Subclasses.h"
+
+
 inline Val* Expr::ExprVal() const
 	{
 	if ( ! IsConst() )

src/Frame.cc

@@ -30,6 +30,8 @@ Frame::Frame(int arg_size, const ScriptFunc* func, const zeek::Args* fn_args)
 	delayed = false;
 
 	closure = nullptr;
+
+	current_offset = 0;
 	}
 
 Frame::~Frame()
@@ -68,12 +70,16 @@ void Frame::SetElement(int n, Val* v)
 
 void Frame::SetElement(int n, ValPtr v)
 	{
+	n += current_offset;
+
 	ClearElement(n);
 	frame[n] = {std::move(v), false};
 	}
 
 void Frame::SetElementWeak(int n, Val* v)
 	{
+	n += current_offset;
+
 	ClearElement(n);
 	frame[n] = {{AdoptRef{}, v}, true};
 	}
@@ -120,10 +126,10 @@ const ValPtr& Frame::GetElementByID(const ID* id) const
 		{
 		auto where = offset_map->find(std::string(id->Name()));
 		if ( where != offset_map->end() )
-			return frame[where->second].val;
+			return frame[where->second + current_offset].val;
 		}
 
-	return frame[id->Offset()].val;
+	return frame[id->Offset() + current_offset].val;
 	}
 
 void Frame::Reset(int startIdx)
@@ -142,7 +148,7 @@ void Frame::Reset(int startIdx)
 		functions_with_closure_frame_reference.reset();
 		}
 
-	for ( int i = startIdx; i < size; ++i )
+	for ( int i = startIdx + current_offset; i < size; ++i )
 		ClearElement(i);
 	}
 
@@ -244,7 +250,7 @@ Frame* Frame::SelectiveClone(const IDPList& selection, ScriptFunc* func) const
 				}
 			}
 
-		if ( ! frame[id->Offset()].val )
+		if ( ! frame[id->Offset() + current_offset].val )
 			reporter->InternalError("Attempted to clone an id ('%s') with no associated value.", id->Name());
 
 		CloneNonFuncElement(id->Offset(), func, other);

src/Frame.h

@@ -98,6 +98,15 @@ public:
 	Val* GetElement(const ID* id) const
 		{ return GetElementByID(id).get(); }
 
+	/**
+	 * Increases the current offset being used for frame accesses.
+	 * This is in support of inlined functions.
+	 *
+	 * @param incr  Amount by which to increase the frame offset.
+	 *              Use a negative value to shrink the offset.
+	 */
+	void IncreaseOffset(int incr)   { current_offset += incr; } 
+
 	/**
 	 * Resets all of the indexes from [*startIdx, frame_size) in
 	 * the Frame.
@@ -316,6 +325,12 @@ private:
 	/** Associates ID's offsets with values. */
 	std::unique_ptr<Element[]> frame;
 
+	/** The offset we're currently using for references into the frame.
+	 * This is how we support inlined functions without having to
+	 * alter the offsets associated with their local variables.
+	 */
+	int current_offset;
+
 	/** The enclosing frame of this frame. */
 	Frame* closure;
 

src/Func.cc

@@ -115,7 +115,7 @@ std::string render_call_stack()
 
 		if ( ci.call )
 			{
-			auto loc = ci.call->GetLocationInfo();
+			auto loc = ci.call->Original()->GetLocationInfo();
 			rval += util::fmt(" at %s:%d", loc->filename, loc->first_line);
 			}
 
@@ -310,6 +310,7 @@ ScriptFunc::ScriptFunc(const IDPtr& arg_id, StmtPtr arg_body,
 		{
 		Body b;
 		b.stmts = AddInits(std::move(arg_body), aggr_inits);
+		current_body = b.stmts;
 		b.priority = priority;
 		bodies.push_back(b);
 		}
@@ -385,7 +386,7 @@ ValPtr ScriptFunc::Invoke(zeek::Args* args, Frame* parent) const
 		{
 		if ( sample_logger )
 			sample_logger->LocationSeen(
-				body.stmts->GetLocationInfo());
+				body.stmts->Original()->GetLocationInfo());
 
 		// Fill in the rest of the frame with the function's arguments.
 		for ( auto j = 0u; j < args->size(); ++j )
@@ -497,6 +498,8 @@ void ScriptFunc::AddBody(StmtPtr new_body,
 	b.stmts = new_body;
 	b.priority = priority;
 
+	current_body = new_body;
+
 	bodies.push_back(b);
 	sort(bodies.begin(), bodies.end());
 	}
@@ -627,6 +630,7 @@ BuiltinFunc::BuiltinFunc(built_in_func arg_func, const char* arg_name,
 
 	type = id->GetType<FuncType>();
 	id->SetVal(make_intrusive<Val>(IntrusivePtr{NewRef{}, this}));
+	id->SetConst();
 	}
 
 BuiltinFunc::~BuiltinFunc()

src/Func.h

@@ -10,6 +10,7 @@
 #include <type_traits>
 
 #include "zeek/ZeekList.h"
+#include "zeek/Stmt.h"
 #include "zeek/Obj.h"
 #include "zeek/IntrusivePtr.h"
 #include "zeek/Type.h" /* for function_flavor */
@@ -43,6 +44,8 @@ using ScopePtr = IntrusivePtr<Scope>;
 using IDPtr = IntrusivePtr<ID>;
 using StmtPtr = IntrusivePtr<Stmt>;
 
+class ScriptFunc;
+
 } // namespace detail
 
 class Func;
@@ -60,6 +63,18 @@ public:
 
 	~Func() override;
 
+        zeek::detail::ScriptFunc* AsScriptFunc()
+                {
+		return GetKind() == SCRIPT_FUNC ?
+				(zeek::detail::ScriptFunc*) this : nullptr;
+		}
+
+        const zeek::detail::ScriptFunc* AsScriptFunc() const
+                {
+		return GetKind() == SCRIPT_FUNC ?
+				(zeek::detail::ScriptFunc*) this : nullptr;
+		}
+
 	virtual bool IsPure() const = 0;
 	FunctionFlavor Flavor() const	{ return GetType()->Flavor(); }
 
@@ -193,6 +208,22 @@ public:
 	             const std::vector<IDPtr>& new_inits,
 	             size_t new_frame_size, int priority) override;
 
+	StmtPtr CurrentBody() const		{ return current_body; }
+
+	/**
+	 * Returns the function's frame size.
+	 * @return  The number of ValPtr slots in the function's frame.
+	 */
+	int FrameSize() const			{ return frame_size; }
+
+	/**
+	 * Changes the function's frame size to a new size - used for
+	 * script optimization/compilation.
+	 * 
+	 * @param new_size  The frame size the function should use.
+	 */
+	void SetFrameSize(int new_size)		{ frame_size = new_size; }
+
 	/** Sets this function's outer_id list. */
 	void SetOuterIDs(IDPList ids)
 		{ outer_ids = std::move(ids); }
@@ -226,6 +257,9 @@ private:
 	// The frame the ScriptFunc was initialized in.
 	Frame* closure = nullptr;
 	bool weak_closure_ref = false;
+
+	// The most recently added/updated body.
+	StmtPtr current_body;
 };
 
 using built_in_func = BifReturnVal (*)(Frame* frame, const Args* args);

src/Options.cc

@@ -3,6 +3,7 @@
 #include "zeek-config.h"
 
 #include "zeek/Options.h"
+#include "zeek/script_opt/ScriptOpt.h"
 
 #include <unistd.h>
 
@@ -104,6 +105,7 @@ void usage(const char* prog, int code)
 	fprintf(stderr, "    -H|--save-seeds <file>         | save seeds to given file\n");
 	fprintf(stderr, "    -I|--print-id <ID name>        | print out given ID\n");
 	fprintf(stderr, "    -N|--print-plugins             | print available plugins and exit (-NN for verbose)\n");
+	fprintf(stderr, "    -O|--optimize[=<option>]       | enable script optimization (use -O help for options)\n");
 	fprintf(stderr, "    -P|--prime-dns                 | prime DNS\n");
 	fprintf(stderr, "    -Q|--time                      | print execution time summary to stderr\n");
 	fprintf(stderr, "    -S|--debug-rules               | enable rule debugging\n");
@@ -141,6 +143,30 @@ void usage(const char* prog, int code)
 	exit(code);
 	}
 
+static void set_analysis_option(const char* opt, Options& opts)
+	{
+	if ( util::streq(opt, "help") )
+		{
+		fprintf(stderr, "--optimize options:\n");
+		fprintf(stderr, "    help	print this list\n");
+		fprintf(stderr, "    inline	inline function calls\n");
+		fprintf(stderr, "    recursive	report on recursive functions and exit\n");
+		exit(0);
+		}
+
+	if ( util::streq(opt, "inline") )
+		opts.analysis_options.inliner = true;
+	else if ( util::streq(opt, "recursive") )
+		opts.analysis_options.inliner =
+			opts.analysis_options.report_recursive = true;
+
+	else
+		{
+		fprintf(stderr,"zeek: unrecognized --optimize option: %s\n", opt);
+		exit(1);
+		}
+	}
+
 Options parse_cmdline(int argc, char** argv)
 	{
 	Options rval;
@@ -252,6 +278,7 @@ Options parse_cmdline(int argc, char** argv)
 		{"load-seeds",		required_argument,	nullptr,	'G'},
 		{"save-seeds",		required_argument,	nullptr,	'H'},
 		{"print-plugins",	no_argument,		nullptr,	'N'},
+		{"optimize",		required_argument,	nullptr,	'O'},
 		{"prime-dns",		no_argument,		nullptr,	'P'},
 		{"time",		no_argument,		nullptr,	'Q'},
 		{"debug-rules",		no_argument,		nullptr,	'S'},
@@ -279,7 +306,7 @@ Options parse_cmdline(int argc, char** argv)
 	};
 
 	char opts[256];
-	util::safe_strncpy(opts, "B:e:f:G:H:I:i:j::n:p:r:s:T:t:U:w:X:CDFNPQSWabdhv",
+	util::safe_strncpy(opts, "B:e:f:G:H:I:i:j::n:O:p:r:s:T:t:U:w:X:CDFNPQSWabdhv",
 	                         sizeof(opts));
 
 #ifdef USE_PERFTOOLS_DEBUG
@@ -401,6 +428,9 @@ Options parse_cmdline(int argc, char** argv)
 		case 'N':
 			++rval.print_plugins;
 			break;
+		case 'O':
+			set_analysis_option(optarg, rval);
+			break;
 		case 'P':
 			if ( rval.dns_mode != detail::DNS_DEFAULT )
 				usage(zargs[0], 1);

src/Options.h

@@ -7,6 +7,7 @@
 #include <vector>
 
 #include "zeek/DNS_Mgr.h"
+#include "zeek/script_opt/ScriptOpt.h"
 
 namespace zeek {
 
@@ -76,6 +77,9 @@ struct Options {
 	std::vector<std::string> script_options_to_set;
 
 	std::vector<std::string> script_args;
+
+	// For script optimization:
+	detail::AnalyOpt analysis_options;
 };
 
 /**

src/Scope.cc

@@ -188,6 +188,7 @@ IDPtr install_ID(const char* name, const char* module_name,
 
 void push_existing_scope(Scope* scope)
 	{
+	top_scope = scope;
 	scopes.push_back(scope);
 	}
 

src/Scope.h

@@ -44,9 +44,14 @@ public:
 		{ return Find(name).get(); }
 
 	template<typename N, typename I>
-	void Insert(N&& name, I&& id) { local[std::forward<N>(name)] = std::forward<I>(id); }
+	void Insert(N&& name, I&& id)
+		{
+		local[std::forward<N>(name)] = std::forward<I>(id);
+		ordered_vars.push_back(std::forward<I>(id));
+		}
 
 	IDPtr Remove(std::string_view name);
+	[[deprecated("Remove in v4.1 as an unused API call.")]]
 
 	[[deprecated("Remove in v4.1.  Use GetID().")]]
 	ID* ScopeID() const		{ return scope_id.get(); }
@@ -64,7 +69,8 @@ public:
 		{ return return_type; }
 
 	size_t Length() const		{ return local.size(); }
-	const auto& Vars()	{ return local; }
+	const auto& Vars() const	{ return local; }
+	const auto& OrderedVars() const	{ return ordered_vars; }
 
 	IDPtr GenerateTemporary(const char* name);
 
@@ -86,6 +92,13 @@ protected:
 	TypePtr return_type;
 	std::map<std::string, IDPtr, std::less<>> local;
 	std::vector<IDPtr> inits;
+
+	// We keep track of identifiers in the order that they're added.
+	// This is necessary for script optimization to be able to find
+	// event/hook parameters for instances where the declaration of
+	// an additional handler uses different names for the parameters
+	// than the original declaration.
+	std::vector<IntrusivePtr<ID>> ordered_vars;
 };
 
 // If no_global is true, don't search in the default "global" namespace.

src/ScriptCoverageManager.cc

@@ -133,7 +133,7 @@ bool ScriptCoverageManager::WriteStats()
 	      it != stmts.end(); ++it )
 		{
 		ODesc location_info;
-		(*it)->GetLocationInfo()->Describe(&location_info);
+		(*it)->Original()->GetLocationInfo()->Describe(&location_info);
 		ODesc desc_info;
 		(*it)->Describe(&desc_info);
 		string desc(desc_info.Description());

src/Stmt.cc

@@ -70,6 +70,30 @@ ForStmt* Stmt::AsForStmt()
 	return (ForStmt*) this;
 	}
 
+const ForStmt* Stmt::AsForStmt() const
+	{
+	CHECK_TAG(tag, STMT_FOR, "Stmt::AsForStmt", stmt_name)
+	return (const ForStmt*) this;
+	}
+
+const InitStmt* Stmt::AsInitStmt() const
+	{
+	CHECK_TAG(tag, STMT_INIT, "Stmt::AsInitStmt", stmt_name)
+	return (const InitStmt*) this;
+	}
+
+const WhenStmt* Stmt::AsWhenStmt() const
+	{
+	CHECK_TAG(tag, STMT_WHEN, "Stmt::AsWhenStmt", stmt_name)
+	return (const WhenStmt*) this;
+	}
+
+const SwitchStmt* Stmt::AsSwitchStmt() const
+	{
+	CHECK_TAG(tag, STMT_SWITCH, "Stmt::AsSwitchStmt", stmt_name)
+	return (const SwitchStmt*) this;
+	}
+
 bool Stmt::SetLocationInfo(const Location* start, const Location* end)
 	{
 	if ( ! Obj::SetLocationInfo(start, end) )
@@ -83,7 +107,8 @@ bool Stmt::SetLocationInfo(const Location* start, const Location* end)
 
 	Filemap& map = *(map_iter->second);
 
-	StmtLocMapping* new_mapping = new StmtLocMapping(GetLocationInfo(), this);
+	StmtLocMapping* new_mapping =
+		new StmtLocMapping(Original()->GetLocationInfo(), this);
 
 	// Optimistically just put it at the end.
 	map.push_back(new_mapping);
@@ -111,6 +136,11 @@ bool Stmt::IsPure() const
 	}
 
 void Stmt::Describe(ODesc* d) const
+	{
+	StmtDescribe(d);
+	}
+
+void Stmt::StmtDescribe(ODesc* d) const
 	{
 	if ( ! d->IsReadable() || Tag() != STMT_EXPR )
 		AddTag(d);
@@ -163,7 +193,7 @@ ExprListStmt::ExprListStmt(StmtTag t, ListExprPtr arg_l)
 			Error("value of type void illegal");
 		}
 
-	SetLocationInfo(l->GetLocationInfo());
+	SetLocationInfo(l->Original()->GetLocationInfo());
 	}
 
 ExprListStmt::~ExprListStmt() = default;
@@ -181,9 +211,9 @@ ValPtr ExprListStmt::Exec(Frame* f, StmtFlowType& flow) const
 	return nullptr;
 	}
 
-void ExprListStmt::Describe(ODesc* d) const
+void ExprListStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	l->Describe(d);
 	DescribeDone(d);
 	}
@@ -314,13 +344,13 @@ ExprStmt::ExprStmt(ExprPtr arg_e) : Stmt(STMT_EXPR), e(std::move(arg_e))
 	if ( e && e->IsPure() )
 		Warn("expression value ignored");
 
-	SetLocationInfo(e->GetLocationInfo());
+	SetLocationInfo(e->Original()->GetLocationInfo());
 	}
 
 ExprStmt::ExprStmt(StmtTag t, ExprPtr arg_e) : Stmt(t), e(std::move(arg_e))
 	{
 	if ( e )
-		SetLocationInfo(e->GetLocationInfo());
+		SetLocationInfo(e->Original()->GetLocationInfo());
 	}
 
 ExprStmt::~ExprStmt() = default;
@@ -348,9 +378,9 @@ bool ExprStmt::IsPure() const
 	return ! e || e->IsPure();
 	}
 
-void ExprStmt::Describe(ODesc* d) const
+void ExprStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 
 	if ( d->IsReadable() && Tag() == STMT_IF )
 		d->Add("(");
@@ -393,8 +423,8 @@ IfStmt::IfStmt(ExprPtr test,
 	if ( ! e->IsError() && ! IsBool(e->GetType()->Tag()) )
 		e->Error("conditional in test must be boolean");
 
-	const Location* loc1 = s1->GetLocationInfo();
+	const Location* loc1 = s1->Original()->GetLocationInfo();
-	const Location* loc2 = s2->GetLocationInfo();
+	const Location* loc2 = s2->Original()->GetLocationInfo();
 	SetLocationInfo(loc1, loc2);
 	}
 
@@ -425,9 +455,9 @@ bool IfStmt::IsPure() const
 	return e->IsPure() && s1->IsPure() && s2->IsPure();
 	}
 
-void IfStmt::Describe(ODesc* d) const
+void IfStmt::StmtDescribe(ODesc* d) const
 	{
-	ExprStmt::Describe(d);
+	ExprStmt::StmtDescribe(d);
 
 	d->PushIndent();
 	s1->AccessStats(d);
@@ -775,7 +805,7 @@ bool SwitchStmt::AddCaseLabelValueMapping(const Val* v, int idx)
 
 	if ( ! hk )
 		{
-		reporter->PushLocation(e->GetLocationInfo());
+		reporter->PushLocation(e->Original()->GetLocationInfo());
 		reporter->InternalError("switch expression type mismatch (%s/%s)",
 		                        type_name(v->GetType()->Tag()),
 		                        type_name(e->GetType()->Tag()));
@@ -816,7 +846,7 @@ std::pair<int, ID*> SwitchStmt::FindCaseLabelMatch(const Val* v) const
 
 		if ( ! hk )
 			{
-			reporter->PushLocation(e->GetLocationInfo());
+			reporter->PushLocation(e->Original()->GetLocationInfo());
 			reporter->Error("switch expression type mismatch (%s/%s)",
 			                type_name(v->GetType()->Tag()),
 			                type_name(e->GetType()->Tag()));
@@ -895,9 +925,9 @@ bool SwitchStmt::IsPure() const
 	return true;
 	}
 
-void SwitchStmt::Describe(ODesc* d) const
+void SwitchStmt::StmtDescribe(ODesc* d) const
 	{
-	ExprStmt::Describe(d);
+	ExprStmt::StmtDescribe(d);
 
 	if ( ! d->IsBinary() )
 		d->Add("{");
@@ -1048,9 +1078,9 @@ bool WhileStmt::IsPure() const
 	return loop_condition->IsPure() && body->IsPure();
 	}
 
-void WhileStmt::Describe(ODesc* d) const
+void WhileStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 
 	if ( d->IsReadable() )
 		d->Add("(");
@@ -1326,9 +1356,9 @@ bool ForStmt::IsPure() const
 	return e->IsPure() && body->IsPure();
 	}
 
-void ForStmt::Describe(ODesc* d) const
+void ForStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 
 	if ( d->IsReadable() )
 		d->Add("(");
@@ -1395,9 +1425,9 @@ bool NextStmt::IsPure() const
 	return true;
 	}
 
-void NextStmt::Describe(ODesc* d) const
+void NextStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	Stmt::DescribeDone(d);
 	}
 
@@ -1422,9 +1452,9 @@ bool BreakStmt::IsPure() const
 	return true;
 	}
 
-void BreakStmt::Describe(ODesc* d) const
+void BreakStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	Stmt::DescribeDone(d);
 	}
 
@@ -1449,9 +1479,9 @@ bool FallthroughStmt::IsPure() const
 	return false;
 	}
 
-void FallthroughStmt::Describe(ODesc* d) const
+void FallthroughStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	Stmt::DescribeDone(d);
 	}
 
@@ -1519,9 +1549,9 @@ ValPtr ReturnStmt::Exec(Frame* f, StmtFlowType& flow) const
 		return nullptr;
 	}
 
-void ReturnStmt::Describe(ODesc* d) const
+void ReturnStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	if ( ! d->IsReadable() )
 		d->Add(e != nullptr);
 
@@ -1581,7 +1611,7 @@ bool StmtList::IsPure() const
 	return true;
 	}
 
-void StmtList::Describe(ODesc* d) const
+void StmtList::StmtDescribe(ODesc* d) const
 	{
 	if ( ! d->IsReadable() )
 		{
@@ -1657,7 +1687,7 @@ ValPtr EventBodyList::Exec(Frame* f, StmtFlowType& flow) const
 	return nullptr;
 	}
 
-void EventBodyList::Describe(ODesc* d) const
+void EventBodyList::StmtDescribe(ODesc* d) const
 	{
 	if ( d->IsReadable() && stmts.length() > 0 )
 		{
@@ -1681,7 +1711,7 @@ void EventBodyList::Describe(ODesc* d) const
 		}
 
 	else
-		StmtList::Describe(d);
+		StmtList::StmtDescribe(d);
 	}
 
 InitStmt::InitStmt(std::vector<IDPtr> arg_inits) : Stmt(STMT_INIT)
@@ -1724,7 +1754,7 @@ ValPtr InitStmt::Exec(Frame* f, StmtFlowType& flow) const
 	return nullptr;
 	}
 
-void InitStmt::Describe(ODesc* d) const
+void InitStmt::StmtDescribe(ODesc* d) const
 	{
 	AddTag(d);
 
@@ -1769,7 +1799,7 @@ bool NullStmt::IsPure() const
 	return true;
 	}
 
-void NullStmt::Describe(ODesc* d) const
+void NullStmt::StmtDescribe(ODesc* d) const
 	{
 	if ( d->IsReadable() )
 		DescribeDone(d);
@@ -1831,9 +1861,9 @@ bool WhenStmt::IsPure() const
 	return cond->IsPure() && s1->IsPure() && (! s2 || s2->IsPure());
 	}
 
-void WhenStmt::Describe(ODesc* d) const
+void WhenStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 
 	if ( d->IsReadable() )
 		d->Add("(");

src/Stmt.h

@@ -2,86 +2,27 @@
 
 #pragma once
 
+// Zeek statements.
+
+#include "zeek/StmtBase.h"
+
 #include "zeek/ZeekList.h"
 #include "zeek/Dict.h"
 #include "zeek/ID.h"
-#include "zeek/Obj.h"
-#include "zeek/StmtEnums.h"
-#include "zeek/TraverseTypes.h"
 
 ZEEK_FORWARD_DECLARE_NAMESPACED(CompositeHash, zeek::detail);
-ZEEK_FORWARD_DECLARE_NAMESPACED(Frame, zeek::detail);
-
-namespace zeek::run_state { extern double network_time; }
 
 namespace zeek::detail {
 
-class StmtList;
-class ForStmt;
-class EventExpr;
-class ListExpr;
-
-using EventExprPtr = IntrusivePtr<EventExpr>;
-using ListExprPtr = IntrusivePtr<ListExpr>;
-
-class Stmt;
-using StmtPtr = IntrusivePtr<Stmt>;
-
-class Stmt : public Obj {
-public:
-	StmtTag Tag() const	{ return tag; }
-
-	~Stmt() override;
-
-	virtual ValPtr Exec(Frame* f, StmtFlowType& flow) const = 0;
-
-	Stmt* Ref()			{ zeek::Ref(this); return this; }
-
-	bool SetLocationInfo(const Location* loc) override
-		{ return Stmt::SetLocationInfo(loc, loc); }
-	bool SetLocationInfo(const Location* start, const Location* end) override;
-
-	// True if the statement has no side effects, false otherwise.
-	virtual bool IsPure() const;
-
-	StmtList* AsStmtList();
-	const StmtList* AsStmtList() const;
-
-	ForStmt* AsForStmt();
-
-	void RegisterAccess() const	{ last_access = run_state::network_time; access_count++; }
-	void AccessStats(ODesc* d) const;
-	uint32_t GetAccessCount() const { return access_count; }
-
-	void Describe(ODesc* d) const override;
-
-	virtual void IncrBPCount()	{ ++breakpoint_count; }
-	virtual void DecrBPCount();
-
-	virtual unsigned int BPCount() const	{ return breakpoint_count; }
-
-	virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
-
-protected:
-	explicit Stmt(StmtTag arg_tag);
-
-	void AddTag(ODesc* d) const;
-	void DescribeDone(ODesc* d) const;
-
-	StmtTag tag;
-	int breakpoint_count;	// how many breakpoints on this statement
-
-	// FIXME: Learn the exact semantics of mutable.
-	mutable double last_access;	// time of last execution
-	mutable uint32_t access_count;	// number of executions
-};
-
 class ExprListStmt : public Stmt {
 public:
 	const ListExpr* ExprList() const	{ return l.get(); }
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	void Inline(Inliner* inl) override;
+
 protected:
 	ExprListStmt(StmtTag t, ListExprPtr arg_l);
 
@@ -91,7 +32,7 @@ protected:
 	virtual ValPtr DoExec(std::vector<ValPtr> vals,
 	                      StmtFlowType& flow) const = 0;
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	ListExprPtr l;
 };
@@ -101,6 +42,9 @@ public:
 	template<typename L>
 	explicit PrintStmt(L&& l) : ExprListStmt(STMT_PRINT, std::forward<L>(l)) { }
 
+	// Optimization-related:
+	StmtPtr Duplicate() override;
+
 protected:
 	ValPtr DoExec(std::vector<ValPtr> vals,
 	              StmtFlowType& flow) const override;
@@ -115,10 +59,14 @@ public:
 
 	const Expr* StmtExpr() const	{ return e.get(); }
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	StmtPtr Duplicate() override;
+	void Inline(Inliner* inl) override;
+
 protected:
 	ExprStmt(StmtTag t, ExprPtr e);
 
@@ -137,10 +85,14 @@ public:
 	const Stmt* TrueBranch() const	{ return s1.get(); }
 	const Stmt* FalseBranch() const	{ return s2.get(); }
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	StmtPtr Duplicate() override;
+	void Inline(Inliner* inl) override;
+
 protected:
 	ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const override;
 	bool IsPure() const override;
@@ -167,6 +119,9 @@ public:
 
 	TraversalCode Traverse(TraversalCallback* cb) const;
 
+	// Optimization-related:
+	IntrusivePtr<Case> Duplicate();
+
 protected:
 	ListExprPtr expr_cases;
 	IDPList* type_cases;
@@ -182,10 +137,14 @@ public:
 
 	const case_list* Cases() const	{ return cases; }
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	StmtPtr Duplicate() override;
+	void Inline(Inliner* inl) override;
+
 protected:
 	ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const override;
 	bool IsPure() const override;
@@ -224,6 +183,9 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
+
+	// Optimization-related:
+	StmtPtr Duplicate() override;
 };
 
 class DelStmt final : public ExprStmt {
@@ -234,6 +196,9 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
+
+	// Optimization-related:
+	StmtPtr Duplicate() override;
 };
 
 class EventStmt final : public ExprStmt {
@@ -244,6 +209,9 @@ public:
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	StmtPtr Duplicate() override;
+
 protected:
 	EventExprPtr event_expr;
 };
@@ -256,15 +224,27 @@ public:
 
 	bool IsPure() const override;
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	const Stmt* CondStmt() const
+		{ return loop_cond_stmt ? loop_cond_stmt.get() : nullptr; }
+	StmtPtr Duplicate() override;
+	void Inline(Inliner* inl) override;
+
 protected:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 
 	ExprPtr loop_condition;
 	StmtPtr body;
+
+	// Optimization-related member variables.
+
+	// When in reduced form, the following holds a statement (which
+	// might be a block) for evaluating the loop's conditional.
+	StmtPtr loop_cond_stmt = nullptr;
 };
 
 class ForStmt final : public ExprStmt {
@@ -276,16 +256,21 @@ public:
 
 	void AddBody(StmtPtr arg_body)	{ body = std::move(arg_body); }
 
-	const IDPList* LoopVar() const	{ return loop_vars; }
+	const IDPList* LoopVars() const	{ return loop_vars; }
+	IDPtr ValueVar() const		{ return value_var; }
 	const Expr* LoopExpr() const	{ return e.get(); }
 	const Stmt* LoopBody() const	{ return body.get(); }
 
 	bool IsPure() const override;
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	StmtPtr Duplicate() override;
+	void Inline(Inliner* inl) override;
+
 protected:
 	ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const override;
 
@@ -303,10 +288,12 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	StmtPtr Duplicate() override	{ return SetSucc(new NextStmt()); }
 protected:
 };
 
@@ -317,10 +304,13 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	StmtPtr Duplicate() override	{ return SetSucc(new BreakStmt()); }
+
 protected:
 };
 
@@ -331,10 +321,14 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	StmtPtr Duplicate() override
+		{ return SetSucc(new FallthroughStmt()); }
+
 protected:
 };
 
@@ -344,7 +338,14 @@ public:
 
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
+
+	// Optimization-related:
+	StmtPtr Duplicate() override;
+
+	// Constructor used for duplication, when we've already done
+	// all of the type-checking.
+	ReturnStmt(ExprPtr e, bool ignored);
 };
 
 class StmtList : public Stmt {
@@ -357,10 +358,14 @@ public:
 	const StmtPList& Stmts() const	{ return stmts; }
 	StmtPList& Stmts()		{ return stmts; }
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	StmtPtr Duplicate() override;
+	void Inline(Inliner* inl) override;
+
 protected:
 	bool IsPure() const override;
 
@@ -374,7 +379,7 @@ public:
 
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	// "Topmost" means that this is the main body of a function or event.
 	// void SetTopmost(bool is_topmost)	{ topmost = is_topmost; }
@@ -393,10 +398,13 @@ public:
 	const std::vector<IDPtr>& Inits() const
 		{ return inits; }
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	StmtPtr Duplicate() override;
+
 protected:
 	std::vector<IDPtr> inits;
 };
@@ -408,9 +416,12 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
+
+	// Optimization-related:
+	StmtPtr Duplicate() override	{ return SetSucc(new NullStmt()); }
 };
 
 class WhenStmt final : public Stmt {
@@ -429,10 +440,14 @@ public:
 	const Expr* TimeoutExpr() const	{ return timeout.get(); }
 	const Stmt* TimeoutBody() const	{ return s2.get(); }
 
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	// Optimization-related:
+	StmtPtr Duplicate() override;
+	void Inline(Inliner* inl) override;
+
 protected:
 	ExprPtr cond;
 	StmtPtr s1;
@@ -443,7 +458,6 @@ protected:
 
 } // namespace zeek::detail
 
-using Stmt [[deprecated("Remove in v4.1. Use zeek::detail::Stmt instead.")]] = zeek::detail::Stmt;
 using ExprListStmt [[deprecated("Remove in v4.1. Use zeek::detail::ExprListStmt instead.")]] = zeek::detail::ExprListStmt;
 using PrintStmt [[deprecated("Remove in v4.1. Use zeek::detail::PrintStmt instead.")]] = zeek::detail::PrintStmt;
 using ExprStmt [[deprecated("Remove in v4.1. Use zeek::detail::ExprStmt instead.")]] = zeek::detail::ExprStmt;

src/StmtBase.h

@@ -0,0 +1,105 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+// Base class for Zeek statements.  We maintain it separately from
+// the bulk of Stmt.h to allow Expr.h to include it, necessary for
+// Expr.h to use StmtPtr.
+
+#include "zeek/Obj.h"
+#include "zeek/IntrusivePtr.h"
+#include "zeek/StmtEnums.h"
+#include "zeek/TraverseTypes.h"
+#include "zeek/util.h"
+
+ZEEK_FORWARD_DECLARE_NAMESPACED(CompositeHash, zeek::detail);
+ZEEK_FORWARD_DECLARE_NAMESPACED(Frame, zeek::detail);
+
+namespace zeek::run_state { extern double network_time; }
+
+namespace zeek {
+class Val;
+using ValPtr = IntrusivePtr<Val>;
+}
+
+namespace zeek::detail {
+
+class StmtList;
+class ForStmt;
+class InitStmt;
+class WhenStmt;
+class SwitchStmt;
+
+class EventExpr;
+class ListExpr;
+
+using EventExprPtr = IntrusivePtr<EventExpr>;
+using ListExprPtr = IntrusivePtr<ListExpr>;
+
+class Inliner;
+
+class Stmt;
+using StmtPtr = IntrusivePtr<Stmt>;
+
+class Stmt : public Obj {
+public:
+	StmtTag Tag() const	{ return tag; }
+
+	~Stmt() override;
+
+	virtual ValPtr Exec(Frame* f, StmtFlowType& flow) const = 0;
+
+	Stmt* Ref()			{ zeek::Ref(this); return this; }
+
+	bool SetLocationInfo(const Location* loc) override
+		{ return Stmt::SetLocationInfo(loc, loc); }
+	bool SetLocationInfo(const Location* start, const Location* end) override;
+
+	// True if the statement has no side effects, false otherwise.
+	virtual bool IsPure() const;
+
+	StmtList* AsStmtList();
+	const StmtList* AsStmtList() const;
+
+	ForStmt* AsForStmt();
+	const ForStmt* AsForStmt() const;
+
+	const InitStmt* AsInitStmt() const;
+	const WhenStmt* AsWhenStmt() const;
+	const SwitchStmt* AsSwitchStmt() const;
+
+	void RegisterAccess() const	{ last_access = run_state::network_time; access_count++; }
+	void AccessStats(ODesc* d) const;
+	uint32_t GetAccessCount() const { return access_count; }
+
+	void Describe(ODesc* d) const final;
+
+	virtual void IncrBPCount()	{ ++breakpoint_count; }
+	virtual void DecrBPCount();
+
+	virtual unsigned int BPCount() const	{ return breakpoint_count; }
+
+	virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
+
+#include "zeek/script_opt/StmtOpt-Public.h"
+
+protected:
+	explicit Stmt(StmtTag arg_tag);
+
+	void AddTag(ODesc* d) const;
+	virtual void StmtDescribe(ODesc* d) const;
+	void DescribeDone(ODesc* d) const;
+
+	StmtTag tag;
+	int breakpoint_count;	// how many breakpoints on this statement
+
+	// FIXME: Learn the exact semantics of mutable.
+	mutable double last_access;	// time of last execution
+	mutable uint32_t access_count;	// number of executions
+
+#include "zeek/script_opt/StmtOpt-Private.h"
+};
+
+} // namespace zeek::detail
+
+using Stmt [[deprecated("Remove in v4.1. Use zeek::detail::Stmt instead.")]] = zeek::detail::Stmt;

src/TraverseTypes.h

@@ -16,8 +16,10 @@ enum TraversalCode {
 
 #define HANDLE_TC_STMT_PRE(code) \
 	{ \
-	if ( (code) == zeek::detail::TC_ABORTALL || (code) == zeek::detail::TC_ABORTSTMT ) \
+	if ( (code) == zeek::detail::TC_ABORTALL ) \
 		return (code); \
+	else if ( (code) == zeek::detail::TC_ABORTSTMT ) \
+		return zeek::detail::TC_CONTINUE; \
 	}
 
 #define HANDLE_TC_STMT_POST(code) \
@@ -32,8 +34,10 @@ enum TraversalCode {
 
 #define HANDLE_TC_EXPR_PRE(code) \
 	{ \
-	if ( (code) != zeek::detail::TC_CONTINUE ) \
+	if ( (code) == zeek::detail::TC_ABORTALL ) \
 		return (code); \
+	else if ( (code) == zeek::detail::TC_ABORTSTMT ) \
+		return zeek::detail::TC_CONTINUE; \
 	}
 
 #define HANDLE_TC_EXPR_POST(code) \

src/Var.cc

@@ -17,6 +17,8 @@
 #include "zeek/module_util.h"
 #include "zeek/ID.h"
 
+#include "zeek/script_opt/ScriptOpt.h"
+
 namespace zeek::detail {
 
 static ValPtr init_val(Expr* init, const Type* t, ValPtr aggr)
@@ -701,8 +703,20 @@ TraversalCode OuterIDBindingFinder::PostExpr(const Expr* expr)
 	return TC_CONTINUE;
 	}
 
+static bool duplicate_ASTs = getenv("ZEEK_DUPLICATE_ASTS");
+
 void end_func(StmtPtr body)
 	{
+	if ( duplicate_ASTs && reporter->Errors() == 0 )
+		// Only try duplication in the absence of errors.  If errors
+		// have occurred, they can be re-generated during the
+		// duplication process, leading to regression failures due
+		// to duplicated error messages.
+		//
+		// We duplicate twice to make sure that the AST produced
+		// by duplicating can itself be correctly duplicated.
+		body = body->Duplicate()->Duplicate();
+
 	auto ingredients = std::make_unique<function_ingredients>(pop_scope(), std::move(body));
 
 	if ( ingredients->id->HasVal() )
@@ -724,7 +738,11 @@ void end_func(StmtPtr body)
 		ingredients->id->SetConst();
 		}
 
-	ingredients->id->GetVal()->AsFunc()->SetScope(ingredients->scope);
+	auto func = ingredients->id->GetVal()->AsFunc()->AsScriptFunc();
+	func->SetScope(ingredients->scope);
+
+	analyze_func({NewRef{}, func});
+
 	// Note: ideally, something would take ownership of this memory until the
 	// end of script execution, but that's essentially the same as the
 	// lifetime of the process at the moment, so ok to "leak" it.

src/main.cc

@@ -15,6 +15,9 @@ int main(int argc, char** argv)
 	if ( setup_result.code )
 		return setup_result.code;
 
+	if ( setup_result.parse_only )
+		return 0;
+
 	auto& options = setup_result.options;
 	auto do_net_run = zeek::iosource_mgr->Size() > 0 ||
 	                  zeek::run_state::detail::have_pending_timers ||

src/reporter.bif

@@ -22,7 +22,7 @@ module Reporter;
 ## .. zeek:see:: reporter_info
 function Reporter::info%(msg: string%): bool
 	%{
-	reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+	reporter->PushLocation(frame->GetCall()->Original()->GetLocationInfo());
 	reporter->Info("%s", msg->CheckString());
 	reporter->PopLocation();
 	return zeek::val_mgr->True();
@@ -37,7 +37,7 @@ function Reporter::info%(msg: string%): bool
 ## .. zeek:see:: reporter_warning
 function Reporter::warning%(msg: string%): bool
 	%{
-	reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+	reporter->PushLocation(frame->GetCall()->Original()->GetLocationInfo());
 	reporter->Warning("%s", msg->CheckString());
 	reporter->PopLocation();
 	return zeek::val_mgr->True();
@@ -53,7 +53,7 @@ function Reporter::warning%(msg: string%): bool
 ## .. zeek:see:: reporter_error
 function Reporter::error%(msg: string%): bool
 	%{
-	reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+	reporter->PushLocation(frame->GetCall()->Original()->GetLocationInfo());
 	reporter->Error("%s", msg->CheckString());
 	reporter->PopLocation();
 	return zeek::val_mgr->True();
@@ -66,7 +66,7 @@ function Reporter::error%(msg: string%): bool
 ## Returns: Always true.
 function Reporter::fatal%(msg: string%): bool
 	%{
-	reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+	reporter->PushLocation(frame->GetCall()->Original()->GetLocationInfo());
 	reporter->FatalError("%s", msg->CheckString());
 	reporter->PopLocation();
 	return zeek::val_mgr->True();
@@ -80,7 +80,7 @@ function Reporter::fatal%(msg: string%): bool
 ## Returns: Always true.
 function Reporter::fatal_error_with_core%(msg: string%): bool
 	%{
-	reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+	reporter->PushLocation(frame->GetCall()->Original()->GetLocationInfo());
 	reporter->FatalErrorWithCore("%s", msg->CheckString());
 	reporter->PopLocation();
 	return zeek::val_mgr->True();

src/script_opt/Expr.cc

@@ -0,0 +1,547 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Optimization-related methods for Expr classes.
+
+#include "zeek/Expr.h"
+#include "zeek/Stmt.h"
+#include "zeek/Func.h"
+#include "zeek/Frame.h"
+#include "zeek/Scope.h"
+#include "zeek/Desc.h"
+#include "zeek/Traverse.h"
+#include "zeek/Reporter.h"
+#include "zeek/script_opt/Inline.h"
+
+
+namespace zeek::detail {
+
+
+ExprPtr NameExpr::Duplicate()
+	{
+	return SetSucc(new NameExpr(id, in_const_init));
+	}
+
+
+ExprPtr ConstExpr::Duplicate()
+	{
+	return SetSucc(new ConstExpr(val));
+	}
+
+  
+ExprPtr UnaryExpr::Inline(Inliner* inl)
+	{
+	op = op->Inline(inl);
+	return ThisPtr();
+	}
+
+
+ExprPtr BinaryExpr::Inline(Inliner* inl)
+	{
+	op1 = op1->Inline(inl);
+	op2 = op2->Inline(inl);
+
+	return ThisPtr();
+	}
+
+
+ExprPtr CloneExpr::Duplicate()
+	{
+	// oh the irony
+	return SetSucc(new CloneExpr(op->Duplicate()));
+	}
+
+
+ExprPtr IncrExpr::Duplicate()
+	{
+	return SetSucc(new IncrExpr(tag, op->Duplicate()));
+	}
+
+
+ExprPtr ComplementExpr::Duplicate()
+	{
+	return SetSucc(new ComplementExpr(op->Duplicate()));
+	}
+
+
+ExprPtr NotExpr::Duplicate()
+	{
+	return SetSucc(new NotExpr(op->Duplicate()));
+	}
+
+
+ExprPtr PosExpr::Duplicate()
+	{
+	return SetSucc(new PosExpr(op->Duplicate()));
+	}
+
+
+ExprPtr NegExpr::Duplicate()
+	{
+	return SetSucc(new NegExpr(op->Duplicate()));
+	}
+
+
+ExprPtr SizeExpr::Duplicate()
+	{
+	return SetSucc(new SizeExpr(op->Duplicate()));
+	}
+
+
+ExprPtr AddExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new AddExpr(op1_d, op2_d));
+	}
+
+
+ExprPtr AddToExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new AddToExpr(op1_d, op2_d));
+	}
+
+
+ExprPtr SubExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new SubExpr(op1_d, op2_d));
+	}
+
+
+ExprPtr RemoveFromExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new RemoveFromExpr(op1_d, op2_d));
+	}
+
+
+ExprPtr TimesExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new TimesExpr(op1_d, op2_d));
+	}
+
+
+ExprPtr DivideExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new DivideExpr(op1_d, op2_d));
+	}
+
+
+ExprPtr ModExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new ModExpr(op1_d, op2_d));
+	}
+
+
+ExprPtr BoolExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new BoolExpr(tag, op1_d, op2_d));
+	}
+
+
+ExprPtr BitExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new BitExpr(tag, op1_d, op2_d));
+	}
+
+
+ExprPtr EqExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new EqExpr(tag, op1_d, op2_d));
+	}
+
+
+ExprPtr RelExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new RelExpr(tag, op1_d, op2_d));
+	}
+
+
+ExprPtr CondExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	auto op3_d = op3->Duplicate();
+	return SetSucc(new CondExpr(op1_d, op2_d, op3_d));
+	}
+
+ExprPtr CondExpr::Inline(Inliner* inl)
+	{
+	op1 = op1->Inline(inl);
+	op2 = op2->Inline(inl);
+	op3 = op3->Inline(inl);
+
+	return ThisPtr();
+	}
+
+
+ExprPtr RefExpr::Duplicate()
+	{
+	return SetSucc(new RefExpr(op->Duplicate()));
+	}
+
+
+ExprPtr AssignExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new AssignExpr(op1_d, op2_d, is_init, val));
+	}
+
+
+ExprPtr IndexSliceAssignExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new IndexSliceAssignExpr(op1_d, op2_d, is_init));
+	}
+
+
+ExprPtr IndexExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_l = op2->Duplicate()->AsListExprPtr();
+	return SetSucc(new IndexExpr(op1_d, op2_l, is_slice));
+	}
+
+
+ExprPtr IndexExprWhen::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_l = op2->Duplicate()->AsListExprPtr();
+	return SetSucc(new IndexExprWhen(op1_d, op2_l, is_slice));
+	}
+
+
+ExprPtr FieldExpr::Duplicate()
+	{
+	return SetSucc(new FieldExpr(op->Duplicate(), field_name));
+	}
+
+
+ExprPtr HasFieldExpr::Duplicate()
+	{
+	return SetSucc(new HasFieldExpr(op->Duplicate(), field_name));
+	}
+
+
+ExprPtr RecordConstructorExpr::Duplicate()
+	{
+	auto op_l = op->Duplicate()->AsListExprPtr();
+	return SetSucc(new RecordConstructorExpr(op_l));
+	}
+
+
+ExprPtr TableConstructorExpr::Duplicate()
+	{
+	auto op_l = op->Duplicate()->AsListExprPtr();
+
+	TypePtr t;
+	if ( (type && type->GetName().size() > 0) ||
+	     ! op->AsListExpr()->Exprs().empty() )
+		t = type;
+	else
+		// Use a null type rather than the one inferred, to instruct
+		// the constructor to again infer the type.
+		t = nullptr;
+
+	return SetSucc(new TableConstructorExpr(op_l, nullptr, t, attrs));
+	}
+
+
+ExprPtr SetConstructorExpr::Duplicate()
+	{
+	auto op_l = op->Duplicate()->AsListExprPtr();
+
+	TypePtr t;
+	if ( (type && type->GetName().size() > 0) ||
+	     ! op->AsListExpr()->Exprs().empty() )
+		t = type;
+	else
+		// Use a null type rather than the one inferred, to instruct
+		// the constructor to again infer the type.
+		t = nullptr;
+
+	return SetSucc(new SetConstructorExpr(op_l, nullptr, t, attrs));
+	}
+
+
+ExprPtr VectorConstructorExpr::Duplicate()
+	{
+	auto op_l = op->Duplicate()->AsListExprPtr();
+
+	if ( op->AsListExpr()->Exprs().empty() )
+		return SetSucc(new VectorConstructorExpr(op_l, nullptr));
+	else
+		return SetSucc(new VectorConstructorExpr(op_l, type));
+	}
+
+
+ExprPtr FieldAssignExpr::Duplicate()
+	{
+	auto op_dup = op->Duplicate();
+	return SetSucc(new FieldAssignExpr(field_name.c_str(), op_dup));
+	}
+
+
+ExprPtr ArithCoerceExpr::Duplicate()
+	{
+	auto op_dup = op->Duplicate();
+
+	TypeTag tag;
+
+	if ( type->Tag() == TYPE_VECTOR )
+		tag = type->AsVectorType()->Yield()->Tag();
+	else
+		tag = type->Tag();
+
+	return SetSucc(new ArithCoerceExpr(op_dup, tag));
+	}
+
+
+ExprPtr RecordCoerceExpr::Duplicate()
+	{
+	auto op_dup = op->Duplicate();
+	auto rt = GetType()->AsRecordType();
+	RecordTypePtr rt_p = {NewRef{}, rt};
+	return SetSucc(new RecordCoerceExpr(op_dup, rt_p));
+	}
+
+
+ExprPtr TableCoerceExpr::Duplicate()
+	{
+	auto op_dup = op->Duplicate();
+	auto tt = GetType()->AsTableType();
+	TableTypePtr tt_p = {NewRef{}, tt};
+	return SetSucc(new TableCoerceExpr(op_dup, tt_p));
+	}
+
+
+ExprPtr VectorCoerceExpr::Duplicate()
+	{
+	auto op_dup = op->Duplicate();
+	auto vt = GetType()->AsVectorType();
+	VectorTypePtr vt_p = {NewRef{}, vt};
+	return SetSucc(new VectorCoerceExpr(op_dup, vt_p));
+	}
+
+
+ExprPtr ScheduleExpr::Duplicate()
+	{
+	auto when_d = when->Duplicate();
+	auto event_d = event->Duplicate()->AsEventExprPtr();
+	return SetSucc(new ScheduleExpr(when_d, event_d));
+	}
+
+ExprPtr ScheduleExpr::Inline(Inliner* inl)
+	{
+	when = when->Inline(inl);
+	event = event->Inline(inl)->AsEventExprPtr();
+
+	return ThisPtr();
+	}
+
+
+ExprPtr InExpr::Duplicate()
+	{
+	auto op1_d = op1->Duplicate();
+	auto op2_d = op2->Duplicate();
+	return SetSucc(new InExpr(op1_d, op2_d));
+	}
+
+
+ExprPtr CallExpr::Duplicate()
+	{
+	auto func_d = func->Duplicate();
+	auto args_d = args->Duplicate()->AsListExprPtr();
+	auto func_type = func->GetType();
+	auto in_hook = func_type->AsFuncType()->Flavor() == FUNC_FLAVOR_HOOK;
+
+	return SetSucc(new CallExpr(func_d, args_d, in_hook));
+	}
+
+ExprPtr CallExpr::Inline(Inliner* inl)
+	{
+	auto new_me = inl->CheckForInlining({NewRef{}, this});
+
+	if ( new_me.get() != this )
+		return new_me;
+
+	// We're not inlining, but perhaps our elements should be.
+	func = func->Inline(inl);
+
+	auto new_args = args->Inline(inl);
+	args = {NewRef{}, new_args->AsListExpr()};
+
+	return ThisPtr();
+	}
+
+
+ExprPtr LambdaExpr::Duplicate()
+	{
+	auto ingr = std::make_unique<function_ingredients>(*ingredients);
+	ingr->body = ingr->body->Duplicate();
+	return SetSucc(new LambdaExpr(std::move(ingr), outer_ids));
+	}
+
+ExprPtr LambdaExpr::Inline(Inliner* inl)
+	{
+	// Don't inline these, we currently don't get the closure right.
+	return ThisPtr();
+	}
+
+
+ExprPtr EventExpr::Duplicate()
+	{
+	auto args_d = args->Duplicate()->AsListExprPtr();
+	return SetSucc(new EventExpr(name.c_str(), args_d));
+	}
+
+ExprPtr EventExpr::Inline(Inliner* inl)
+	{
+	auto el = args->Inline(inl)->AsListExpr();
+	args = {NewRef{}, el};
+
+	return ThisPtr();
+	}
+
+
+ExprPtr ListExpr::Duplicate()
+	{
+	auto new_l = new ListExpr();
+
+	loop_over_list(exprs, i)
+		new_l->Append(exprs[i]->Duplicate());
+
+	return SetSucc(new_l);
+	}
+
+ExprPtr ListExpr::Inline(Inliner* inl)
+	{
+	loop_over_list(exprs, i)
+		exprs[i] = exprs[i]->Inline(inl).release();
+
+	return ThisPtr();
+	}
+
+
+ExprPtr CastExpr::Duplicate()
+	{
+	return SetSucc(new CastExpr(op->Duplicate(), type));
+	}
+
+
+ExprPtr IsExpr::Duplicate()
+	{
+	return SetSucc(new IsExpr(op->Duplicate(), t));
+	}
+
+
+InlineExpr::InlineExpr(ListExprPtr arg_args, IDPList* arg_params,
+			StmtPtr arg_body, int _frame_offset, TypePtr ret_type)
+: Expr(EXPR_INLINE), args(std::move(arg_args)), body(std::move(arg_body))
+	{
+	params = arg_params;
+	frame_offset = _frame_offset;
+	type = ret_type;
+	}
+
+bool InlineExpr::IsPure() const
+	{
+	return args->IsPure() && body->IsPure();
+	}
+
+ValPtr InlineExpr::Eval(Frame* f) const
+	{
+	auto v = eval_list(f, args.get());
+
+	if ( ! v )
+		return nullptr;
+
+	int nargs = args->Exprs().length();
+
+	f->Reset(frame_offset + nargs);
+	f->IncreaseOffset(frame_offset);
+
+	// Assign the arguments.
+	for ( auto i = 0; i < nargs; ++i )
+		f->SetElement(i, (*v)[i]);
+
+	auto flow = FLOW_NEXT;
+	ValPtr result;
+	try
+		{
+		result = body->Exec(f, flow);
+		}
+
+	catch ( InterpreterException& e )
+		{
+		f->IncreaseOffset(-frame_offset);
+		throw;
+		}
+
+	f->IncreaseOffset(-frame_offset);
+
+	return result;
+	}
+
+ExprPtr InlineExpr::Duplicate()
+	{
+	auto args_d = args->Duplicate()->AsListExprPtr();
+	auto body_d = body->Duplicate();
+	return SetSucc(new InlineExpr(args_d, params, body_d, frame_offset,
+					type));
+	}
+
+TraversalCode InlineExpr::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreExpr(this);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = args->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = body->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = cb->PostExpr(this);
+	HANDLE_TC_EXPR_POST(tc);
+	}
+
+void InlineExpr::ExprDescribe(ODesc* d) const
+	{
+	if ( d->IsReadable() || d->IsPortable() )
+		{
+		d->Add("inline(");
+		args->Describe(d);
+		d->Add("){");
+		body->Describe(d);
+		d->Add("}");
+		}
+	else
+		{
+		args->Describe(d);
+		body->Describe(d);
+		}
+	}
+
+
+} // namespace zeek::detail

src/script_opt/ExprOpt-Enums.h

@@ -0,0 +1,5 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Enums associated with script optimization.
+
+	EXPR_INLINE,

src/script_opt/ExprOpt-Names.h

@@ -0,0 +1,6 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Names of Expr subclasses associated with script optimization.
+// Companion to script_opt/ExprOpt-Enums.h.
+
+	"inline()",

src/script_opt/ExprOpt-Private.h

@@ -0,0 +1,13 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Private (protected) Expr methods and member varibles associated
+// with script optimization.  See script_opt/ExprOpt-public.h for
+// why these aren't factored into a separate class.
+//
+// Right now, this file is small, but it will grow as we expand into
+// other forms of script optimization.
+
+        // The original expression from which this statement was
+        // derived, if any.  Used as an aid for generating meaningful
+	// and correctly-localized error messages.
+	ExprPtr original = nullptr;

src/script_opt/ExprOpt-Public.h

@@ -0,0 +1,44 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Public Expr methods associated with script optimization.
+//
+// We can't effectively factor these out into a separate class to
+// include via multiple inheritance, because in general they rely
+// on other Expr methods or member variables, so to do so we'd
+// have to (1) make all of the methods virtual, and (2) still
+// include (re-)definitions for them in Expr.h, defeating most
+// of the benefits of using a separate class.
+
+	// Returns a duplicate of the expression.
+	virtual ExprPtr Duplicate() = 0;
+
+	// Recursively traverses the AST to inline eligible function calls.
+	virtual ExprPtr Inline(Inliner* inl)	{ return ThisPtr(); }
+
+	// Access to the original expression from which this one is derived,
+	// or this one if we don't have an original.  Returns a bare pointer
+	// rather than an ExprPtr to emphasize that the access is read-only.
+	const Expr* Original() const
+		{ return original ? original->Original() : this; }
+
+	// Designate the given Expr node as the original for this one.
+	void SetOriginal(ExprPtr _orig)
+		{
+		if ( ! original )
+			original = std::move(_orig);
+		}
+
+	// A convenience function for taking a newly-created Expr,
+	// making it point to us as the successor, and returning it.
+	//
+	// Takes an Expr* rather than a ExprPtr to de-clutter the calling
+	// code, which is always passing in "new XyzExpr(...)".  This
+	// call, as a convenient side effect, transforms that bare pointer
+	// into an ExprPtr.
+	virtual ExprPtr SetSucc(Expr* succ)
+		{
+		succ->SetOriginal(ThisPtr());
+		if ( IsParen() )
+			succ->MarkParen();
+		return {AdoptRef{}, succ};
+		}

src/script_opt/ExprOpt-Subclasses.h

@@ -0,0 +1,29 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Expr subclasses and associated functions associated with script
+// optimization.
+
+class InlineExpr : public Expr {
+public:
+	InlineExpr(ListExprPtr arg_args, IDPList* params, StmtPtr body,
+			int frame_offset, TypePtr ret_type);
+
+	bool IsPure() const override;
+
+	ListExprPtr Args() const	{ return args; }
+	StmtPtr Body() const		{ return body; }
+
+	ValPtr Eval(Frame* f) const override;
+
+	ExprPtr Duplicate() override;
+
+	TraversalCode Traverse(TraversalCallback* cb) const override;
+
+protected:
+	void ExprDescribe(ODesc* d) const override;
+
+	IDPList* params;
+	int frame_offset;
+	ListExprPtr args;
+	StmtPtr body;
+};

src/script_opt/Inline.cc

@@ -0,0 +1,238 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/script_opt/Inline.h"
+#include "zeek/script_opt/ScriptOpt.h"
+#include "zeek/script_opt/ProfileFunc.h"
+#include "zeek/Desc.h"
+
+
+namespace zeek::detail {
+
+
+void Inliner::Analyze()
+	{
+	// Locate self- and indirectly recursive functions.
+
+	// Maps each function to any functions that it calls, either
+	// directly or (ultimately) indirectly.
+	std::unordered_map<const Func*, std::unordered_set<const Func*>> call_set;
+
+	// Prime the call set for each function with the functions it
+	// directly calls.
+	for ( auto& f : funcs )
+		{
+		std::unordered_set<const Func*> cs;
+
+		// Aspirational ....
+		non_recursive_funcs.insert(f->Func());
+
+		for ( auto& func : f->Profile()->ScriptCalls() )
+			{
+			cs.insert(func);
+
+			if ( func == f->Func() )
+				{
+				if ( report_recursive )
+					printf("%s is directly recursive\n",
+						func->Name());
+
+				non_recursive_funcs.erase(func);
+				}
+			}
+
+		call_set[f->Func()] = cs;
+		}
+
+	// Transitive closure.  If we had any self-respect, we'd implement
+	// Warshall's algorithm.  What we do here is feasible though since
+	// Zeek call graphs tend not to be super-deep.  (We could also save
+	// cycles by only analyzing non-[direct-or-indirect] leaves, as
+	// was computed by the previous version of this code.  But in
+	// practice, the execution time for this is completely dwarfed
+	// by the expense of compiling inlined functions, so we keep it
+	// simple.)
+
+	// Whether a change has occurred.
+	bool did_addition = true;
+	while ( did_addition )
+		{
+		did_addition = false;
+
+		// Loop over all the functions of interest.
+		for ( auto& c : call_set )
+			{
+			// For each of them, loop over the set of functions
+			// they call.
+
+			std::unordered_set<const Func*> addls;
+
+			for ( auto& cc : c.second )
+				{
+				if ( cc == c.first )
+					// Don't loop over ourselves.
+					continue;
+
+				// For each called function, pull up *its*
+				// set of called functions.
+				for ( auto& ccc : call_set[cc] )
+					{
+					// For each of those, if we don't
+					// already have it, add it.
+					if ( c.second.count(ccc) > 0 )
+						// We already have it.
+						continue;
+
+					addls.insert(ccc);
+
+					if ( ccc != c.first )
+						// Non-recursive.
+						continue;
+
+					if ( report_recursive )
+						printf("%s is indirectly recursive, called by %s\n",
+							c.first->Name(),
+							cc->Name());
+
+					non_recursive_funcs.erase(c.first);
+					non_recursive_funcs.erase(cc);
+					}
+				}
+
+			if ( addls.size() > 0 )
+				{
+				did_addition = true;
+
+				for ( auto& a : addls )
+					c.second.insert(a);
+				}
+			}
+		}
+
+	// Functions that are candidates for inlining.
+	std::unordered_set<FuncInfo*> candidates;
+
+	for ( auto& f : funcs )
+		// Candidates are non-event, non-hook, non-recursive
+		// functions ... that don't use lambdas or when's,
+		// since we don't currently compute the closures/frame
+		// sizes for them correctly, and more fundamentally since
+		// we don't compile them and hence inlining them will
+		// make the parent non-compilable.
+		if ( f->Func()->Flavor() == FUNC_FLAVOR_FUNCTION &&
+		     non_recursive_funcs.count(f->Func()) > 0 &&
+		     f->Profile()->NumLambdas() == 0 &&
+		     f->Profile()->NumWhenStmts() == 0 )
+			inline_ables.insert(f->Func());
+
+	for ( auto& f : funcs )
+		{
+		// Processing optimization: only spend time trying to inline f
+		// if we haven't marked it as inlineable.  This trades off a
+		// bunch of compilation load (inlining every single function,
+		// even though almost none will be called directly) for a
+		// modest gain of having compiled code for those rare
+		// circumstances in which a Zeek function can be called
+		// not ultimately stemming from an event (such as global
+		// scripting, or expiration functions).
+		if ( inline_ables.count(f->Func()) == 0 )
+			InlineFunction(f);
+		}
+	}
+
+void Inliner::InlineFunction(FuncInfo* f)
+	{
+	max_inlined_frame_size = 0;
+
+	// It's important that we take the current frame size from the
+	// *scope* and not f->Func().  The latter tracks the maximum required
+	// across all bodies, but we want to track the size for this
+	// particular body.
+	curr_frame_size = f->Scope()->Length();
+
+	f->Body()->Inline(this);
+
+	int new_frame_size = curr_frame_size + max_inlined_frame_size;
+
+	if ( new_frame_size > f->Func()->FrameSize() )
+		f->Func()->SetFrameSize(new_frame_size);
+	}
+
+ExprPtr Inliner::CheckForInlining(IntrusivePtr<CallExpr> c)
+	{
+	auto f = c->Func();
+
+	if ( f->Tag() != EXPR_NAME )
+		// We don't inline indirect calls.
+		return std::move(c);
+
+	auto n = f->AsNameExpr();
+	auto func = n->Id();
+
+	if ( ! func->IsGlobal() )
+		return std::move(c);
+
+	auto func_v = func->GetVal();
+	if ( ! func_v )
+		return std::move(c);
+
+	auto func_vf = func_v->AsFunc()->AsScriptFunc();
+
+	if ( ! func_vf )
+		return std::move(c);
+
+	if ( inline_ables.count(func_vf) == 0 )
+		return std::move(c);
+
+	ListExprPtr args = {NewRef{}, c->Args()};
+	auto body = func_vf->GetBodies()[0].stmts;	// there's only 1 body
+	auto t = c->GetType();
+
+	// Getting the names of the parameters is tricky.  It's tempting
+	// to take them from the function's type declaration, but alas
+	// Zeek allows forward-declaring a function with one set of parameter
+	// names and then defining a later instance of it with different
+	// names, as long as the types match.  So we have to glue together
+	// the type declaration, which gives us the number of parameters,
+	// with the scope, which gives us all the variables declared in
+	// the function, *using the knowledge that the parameters are
+	// declared first*.
+	auto scope = func_vf->GetScope();
+	auto vars = scope->OrderedVars();
+	int nparam = func_vf->GetType()->Params()->NumFields();
+
+	auto params = new IDPList;
+	for ( int i = 0; i < nparam; ++i )
+		params->append(vars[i].get());
+
+	auto body_dup = body->Duplicate();
+
+	// Recursively inline the body.  This is safe to do because we've
+	// ensured there are no recursive loops ... but we have to be
+	// careful in accounting for the frame sizes.
+	int frame_size = func_vf->FrameSize();
+
+	int hold_curr_frame_size = curr_frame_size;
+	curr_frame_size = frame_size;
+
+	int hold_max_inlined_frame_size = max_inlined_frame_size;
+	max_inlined_frame_size = 0;
+
+	body_dup->Inline(this);
+
+	curr_frame_size = hold_curr_frame_size;
+
+	int new_frame_size = frame_size + max_inlined_frame_size;
+	if ( new_frame_size > hold_max_inlined_frame_size )
+		max_inlined_frame_size = new_frame_size;
+	else
+		max_inlined_frame_size = hold_max_inlined_frame_size;
+
+	auto ie = make_intrusive<InlineExpr>(args, params, body_dup,
+						curr_frame_size, t);
+	ie->SetOriginal(c);
+
+	return ie;
+	}
+
+
+} // namespace zeek::detail

src/script_opt/Inline.h

@@ -0,0 +1,62 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Class that manages the process of (recursively) inlining function bodies.
+
+#pragma once
+
+#include "zeek/Func.h"
+#include "zeek/Scope.h"
+
+#include <unordered_set>
+
+
+namespace zeek::detail {
+
+class FuncInfo;
+
+class Inliner {
+public:
+	// First argument is a collection of information about *all* of
+	// the script functions.  Second argument states whether to report
+	// recursive functions (of interest as they're not in-lineable).
+	Inliner(std::vector<FuncInfo*>& _funcs, bool _report_recursive)
+	: funcs(_funcs), report_recursive(_report_recursive)
+		{ Analyze(); }
+
+	// Either returns the original CallExpr if it's not inline-able,
+	// or an InlineExpr if it is.
+	ExprPtr CheckForInlining(IntrusivePtr<CallExpr> c);
+
+	// True if the given function has been inlined.
+	bool WasInlined(Func* f)	{ return inline_ables.count(f) > 0; }
+
+protected:
+	// Driver routine that analyzes all of the script functions and
+	// recursively inlines eligible ones.
+	void Analyze();
+
+	// Recursively inlines any calls associated with the given function.
+	void InlineFunction(FuncInfo* f);
+
+	// Information about all of the functions (and events/hooks) in
+	// the full set of scripts.
+	std::vector<FuncInfo*>& funcs;
+
+	// Functions that we've determined to be suitable for inlining.
+	std::unordered_set<Func*> inline_ables;
+
+	// As we do inlining for a given function, this tracks the
+	// largest frame size of any inlined function.
+	int max_inlined_frame_size;
+
+	// The size of the frame of the currently-being-inlined function,
+	// prior to increasing it to accommodate inlining.
+	int curr_frame_size;
+
+	// Whether to generate a report about functions either directly and
+	// indirectly recursive.
+	bool report_recursive;
+};
+
+
+} // namespace zeek::detail

src/script_opt/ProfileFunc.cc

@@ -0,0 +1,218 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/script_opt/ProfileFunc.h"
+#include "zeek/Desc.h"
+#include "zeek/Stmt.h"
+#include "zeek/Func.h"
+
+
+namespace zeek::detail {
+
+
+TraversalCode ProfileFunc::PreStmt(const Stmt* s)
+	{
+	++num_stmts;
+
+	auto tag = s->Tag();
+
+	if ( compute_hash )
+		UpdateHash(int(tag));
+
+	if ( tag == STMT_INIT )
+		{
+		for ( auto id : s->AsInitStmt()->Inits() )
+			inits.insert(id.get());
+
+		// Don't recurse into these, as we don't want to consider
+		// a local that only appears in an initialization as a
+		// relevant local.
+		return TC_ABORTSTMT;
+		}
+
+	switch ( tag ) {
+	case STMT_WHEN:
+		++num_when_stmts;
+
+		in_when = true;
+		s->AsWhenStmt()->Cond()->Traverse(this);
+		in_when = false;
+
+		// It doesn't do any harm for us to re-traverse the
+		// conditional, so we don't bother hand-traversing the
+		// rest of the when but just let the usual processing do it.
+		break;
+
+	case STMT_FOR:
+		{
+		auto sf = s->AsForStmt();
+		auto loop_vars = sf->LoopVars();
+		auto value_var = sf->ValueVar();
+
+		for ( auto id : *loop_vars )
+			locals.insert(id);
+
+		if ( value_var )
+			locals.insert(value_var.get());
+		}
+		break;
+
+	case STMT_SWITCH:
+		{
+		// If this is a type-case switch statement, then find the
+		// identifiers created so we can add them to our list of
+		// locals.  Ideally this wouldn't be necessary since *surely*
+		// if one bothers to define such an identifier then it'll be
+		// subsequently used, and we'll pick up the local that way ...
+		// but if for some reason it's not, then we would have an
+		// incomplete list of locals that need to be tracked.
+
+		auto sw = s->AsSwitchStmt();
+		for ( auto& c : *sw->Cases() )
+			{
+			auto idl = c->TypeCases();
+			if ( idl ) 
+				{
+				for ( auto id : *idl )
+					locals.insert(id);
+				}
+			}
+		}
+		break;
+
+	default:
+		break;
+	}
+
+	return TC_CONTINUE;
+	}
+
+TraversalCode ProfileFunc::PreExpr(const Expr* e)
+	{
+	++num_exprs;
+
+	auto tag = e->Tag();
+
+	if ( compute_hash )
+		UpdateHash(int(tag));
+
+	switch ( tag ) {
+	case EXPR_CONST:
+		if ( compute_hash )
+			{
+			CheckType(e->GetType());
+			UpdateHash(e->AsConstExpr()->ValuePtr());
+			}
+		break;
+
+	case EXPR_NAME:
+		{
+		auto n = e->AsNameExpr();
+		auto id = n->Id();
+		if ( id->IsGlobal() )
+			globals.insert(id);
+		else
+			locals.insert(id);
+
+		if ( compute_hash )
+			{
+			UpdateHash({NewRef{}, id});
+			CheckType(e->GetType());
+			}
+
+		break;
+		}
+
+	case EXPR_CALL:
+		{
+		auto c = e->AsCallExpr();
+		auto f = c->Func();
+
+		if ( f->Tag() != EXPR_NAME )
+			{
+			does_indirect_calls = true;
+			return TC_CONTINUE;
+			}
+
+		auto n = f->AsNameExpr();
+		IDPtr func = {NewRef{}, n->Id()};
+
+		if ( ! func->IsGlobal() )
+			{
+			does_indirect_calls = true;
+			return TC_CONTINUE;
+			}
+
+		auto func_v = func->GetVal();
+		if ( func_v )
+			{
+			auto func_vf = func_v->AsFunc();
+			auto bf = func_vf->AsScriptFunc();
+
+			if ( bf )
+				{
+				script_calls.insert(bf);
+
+				if ( in_when )
+					when_calls.insert(bf);
+				}
+			else
+				BiF_calls.insert(func_vf);
+			}
+		else
+			{
+			// We could complain, but for now we don't because
+			// if we're invoked prior to full Zeek initialization,
+			// the value might indeed not there.
+			// printf("no function value for global %s\n", func->Name());
+			}
+
+		// Recurse into the arguments.
+		auto args = c->Args();
+		args->Traverse(this);
+		return TC_ABORTSTMT;
+		}
+
+	case EXPR_EVENT:
+		events.insert(e->AsEventExpr()->Name());
+		break;
+
+	case EXPR_LAMBDA:
+		++num_lambdas;
+		break;
+
+	default:
+		break;
+	}
+
+	return TC_CONTINUE;
+	}
+
+void ProfileFunc::CheckType(const TypePtr& t)
+	{
+	auto& tn = t->GetName();
+	if ( tn.size() > 0 && seen_types.count(tn) > 0 )
+		// No need to hash this in again, as we've already done so.
+		return;
+
+	if ( seen_type_ptrs.count(t.get()) > 0 )
+		// We've seen the raw pointer, even though it doesn't have
+		// a name.
+		return;
+
+	seen_types.insert(tn);
+	seen_type_ptrs.insert(t.get());
+
+	UpdateHash(t);
+	}
+
+void ProfileFunc::UpdateHash(const IntrusivePtr<zeek::Obj>& o)
+	{
+	ODesc d;
+	o->Describe(&d);
+	std::string desc(d.Description());
+	auto h = std::hash<std::string>{}(desc);
+	MergeInHash(h);
+	}
+
+
+} // namespace zeek::detail

src/script_opt/ProfileFunc.h

@@ -0,0 +1,123 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Class for traversing a function body's AST to build up a profile
+// of its various elements.
+
+#pragma once
+
+#include "zeek/Expr.h"
+#include "zeek/Stmt.h"
+#include "zeek/Traverse.h"
+
+namespace zeek::detail {
+
+class ProfileFunc : public TraversalCallback {
+public:
+	// If the argument is true, then we compute a hash over the function's
+	// AST to (pseudo-)uniquely identify it.
+	ProfileFunc(bool _compute_hash = false)
+		{ compute_hash = _compute_hash; }
+
+	std::unordered_set<const ID*>& Globals()	{ return globals; }
+	std::unordered_set<const ID*>& Locals()		{ return locals; }
+	std::unordered_set<const ID*>& Inits()		{ return inits; }
+	std::unordered_set<ScriptFunc*>& ScriptCalls()	{ return script_calls; }
+	std::unordered_set<Func*>& BiFCalls()		{ return BiF_calls; }
+	std::unordered_set<ScriptFunc*>& WhenCalls()	{ return when_calls; }
+	std::unordered_set<const char*>& Events()	{ return events; }
+	bool DoesIndirectCalls()		{ return does_indirect_calls; }
+
+	std::size_t HashVal()	{ return hash_val; }
+
+	int NumStmts()		{ return num_stmts; }
+	int NumWhenStmts()	{ return num_when_stmts; }
+	int NumExprs()		{ return num_exprs; }
+	int NumLambdas()	{ return num_lambdas; }
+
+protected:
+	TraversalCode PreStmt(const Stmt*) override;
+	TraversalCode PreExpr(const Expr*) override;
+
+	// Globals seen in the function.
+	//
+	// Does *not* include globals solely seen as the function being
+	// called in a call.
+	std::unordered_set<const ID*> globals;
+
+	// Locals seen in the function.
+	std::unordered_set<const ID*> locals;
+
+	// Same for locals seen in initializations, so we can find
+	// unused aggregates.
+	std::unordered_set<const ID*> inits;
+
+	// Script functions that this script calls.
+	std::unordered_set<ScriptFunc*> script_calls;
+
+	// Same for BiF's.
+	std::unordered_set<Func*> BiF_calls;
+
+	// Script functions appearing in "when" clauses.
+	std::unordered_set<ScriptFunc*> when_calls;
+
+	// Names of generated events.
+	std::unordered_set<const char*> events;
+
+	// True if the function makes a call through an expression rather
+	// than simply a function's (global) name.
+	bool does_indirect_calls = false;
+
+	// Hash value.  Only valid if constructor requested it.
+	std::size_t hash_val = 0;
+
+	// How many statements / when statements / lambda expressions /
+	// expressions appear in the function body.
+	int num_stmts = 0;
+	int num_when_stmts = 0;
+	int num_lambdas = 0;
+	int num_exprs = 0;
+
+	// Whether we're separately processing a "when" condition to
+	// mine out its script calls.
+	bool in_when = false;
+
+	// We only compute a hash over the function if requested, since
+	// it's somewhat expensive.
+	bool compute_hash;
+
+	// The following are for computing a consistent hash that isn't
+	// too profligate in how much it needs to compute over.
+
+	// Checks whether we've already noted this type, and, if not,
+	// updates the hash with it.
+	void CheckType(const TypePtr& t);
+
+	void UpdateHash(int val)
+		{
+		auto h = std::hash<int>{}(val);
+		MergeInHash(h);
+		}
+
+	void UpdateHash(const IntrusivePtr<Obj>& o);
+
+	void MergeInHash(std::size_t h)
+		{
+		// Taken from Boost.  See for example
+		// https://www.boost.org/doc/libs/1_35_0/doc/html/boost/hash_combine_id241013.html
+		// or
+		// https://stackoverflow.com/questions/4948780/magic-number-in-boosthash-combine
+		hash_val ^= h + 0x9e3779b9 + (hash_val << 6) + (hash_val >> 2);
+		}
+
+	// Types that we've already processed.  Hashing types can be
+	// quite expensive since some of the common Zeek record types
+	// (e.g., notices) are huge, so useful to not do them more than
+	// once.  We track two forms, one by name (if available) and one
+	// by raw pointer (if not).  Doing so allows us to track named
+	// sub-records but also records that have no names.
+	std::unordered_set<std::string> seen_types;
+	std::unordered_set<const Type*> seen_type_ptrs;
+};
+
+
+} // namespace zeek::detail

src/script_opt/ScriptOpt.cc

@@ -0,0 +1,65 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/Options.h"
+#include "zeek/script_opt/ScriptOpt.h"
+#include "zeek/script_opt/ProfileFunc.h"
+#include "zeek/script_opt/Inline.h"
+
+
+namespace zeek::detail {
+
+
+std::unordered_set<const Func*> non_recursive_funcs;
+
+// Tracks all of the loaded functions (including event handlers and hooks).
+static std::vector<FuncInfo*> funcs;
+
+
+FuncInfo::~FuncInfo()
+	{
+	delete pf;
+	delete save_file;
+	}
+
+void analyze_func(ScriptFuncPtr f)
+	{
+	auto info = new FuncInfo(f, {NewRef{}, f->GetScope()}, f->CurrentBody());
+	funcs.push_back(info);
+	}
+
+static void check_env_opt(const char* opt, bool& opt_flag)
+	{
+	if ( getenv(opt) )
+		opt_flag = true;
+	}
+
+void analyze_scripts(Options& opts)
+	{
+	auto& analysis_options = opts.analysis_options;
+
+	static bool did_init = false;
+
+	if ( ! did_init )
+		{
+		check_env_opt("ZEEK_INLINE", analysis_options.inliner);
+		did_init = true;
+		}
+
+	if ( ! analysis_options.inliner )
+		return;
+
+	for ( auto& f : funcs )
+		{
+		f->SetProfile(new ProfileFunc(true));
+		f->Body()->Traverse(f->Profile());
+		}
+
+	Inliner* inl = nullptr;
+	if ( analysis_options.inliner )
+		inl = new Inliner(funcs, analysis_options.report_recursive);
+
+	delete inl;
+	}
+
+
+} // namespace zeek::detail

src/script_opt/ScriptOpt.h

@@ -0,0 +1,79 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Classes for controlling/orchestrating script optimization & compilation.
+
+#pragma once
+
+#include "zeek/Func.h"
+#include "zeek/Expr.h"
+#include "zeek/Scope.h"
+
+namespace zeek { struct Options; }
+
+namespace zeek::detail {
+
+
+// Flags controlling what sorts of analysis to do.
+
+struct AnalyOpt {
+	// If true, do global inlining.
+	bool inliner = false;
+
+	// If true, report which functions are directly and indirectly
+	// recursive, and exit.  Only germane if running the inliner.
+	bool report_recursive = false;
+};
+
+
+class ProfileFunc;
+
+using ScriptFuncPtr = IntrusivePtr<ScriptFunc>;
+
+// Info we need for tracking an instance of a function.
+class FuncInfo {
+public:
+	FuncInfo(ScriptFuncPtr _func, ScopePtr _scope, StmtPtr _body)
+		{
+		func = _func;
+		scope = _scope;
+		body = _body;
+		}
+
+	~FuncInfo();
+
+	ScriptFunc* Func()	{ return func.get(); }
+	ScriptFuncPtr FuncPtr()	{ return func; }
+	ScopePtr Scope()	{ return scope; }
+	StmtPtr Body()		{ return body; }
+	ProfileFunc* Profile()	{ return pf; }
+	const char* SaveFile()	{ return save_file; }
+
+	void SetProfile(ProfileFunc* _pf)	{ pf = _pf; }
+	void SetSaveFile(const char* _sf);
+
+protected:
+	ScriptFuncPtr func;
+	ScopePtr scope;
+	StmtPtr body;
+	ProfileFunc* pf = nullptr;
+
+	// If we're saving this function in a file, this is the name
+	// of the file to use.
+	char* save_file = nullptr;
+};
+
+
+// We track which functions are definitely not recursive.  We do this
+// as the negative, rather than tracking functions known to be recursive,
+// so that if we don't do the analysis at all (it's driven by inlining),
+// we err on the conservative side and assume every function is recursive.
+extern std::unordered_set<const Func*> non_recursive_funcs;
+
+// Analyze a given function for optimization.
+extern void analyze_func(ScriptFuncPtr f);
+
+// Analyze all of the parsed scripts collectively for optimization.
+extern void analyze_scripts(Options& opts);
+
+
+} // namespace zeek::detail

src/script_opt/Stmt.cc

@@ -0,0 +1,212 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Optimization-related methods for Stmt classes.
+
+#include "zeek/Stmt.h"
+#include "zeek/Expr.h"
+
+
+namespace zeek::detail {
+
+
+void ExprListStmt::Inline(Inliner* inl)
+	{
+	auto& e = l->Exprs();
+	for ( auto i = 0; i < e.length(); ++i )
+		e.replace(i, e[i]->Inline(inl).release());
+	}
+
+
+StmtPtr PrintStmt::Duplicate()
+	{
+	return SetSucc(new PrintStmt(l->Duplicate()->AsListExprPtr()));
+	}
+
+
+StmtPtr ExprStmt::Duplicate()
+	{
+	return SetSucc(new ExprStmt(e ? e->Duplicate() : nullptr));
+	}
+
+void ExprStmt::Inline(Inliner* inl)
+	{
+	if ( e )
+		e = e->Inline(inl);
+	}
+
+
+StmtPtr IfStmt::Duplicate()
+	{
+	return SetSucc(new IfStmt(e->Duplicate(), s1->Duplicate(),
+					s2->Duplicate()));
+	}
+
+void IfStmt::Inline(Inliner* inl)
+	{
+	ExprStmt::Inline(inl);
+
+	if ( s1 )
+		s1->Inline(inl);
+	if ( s2 )
+		s2->Inline(inl);
+	}
+
+
+IntrusivePtr<Case> Case::Duplicate()
+	{
+	if ( expr_cases )
+		{
+		auto new_exprs = expr_cases->Duplicate()->AsListExprPtr();
+		return make_intrusive<Case>(new_exprs, type_cases, s->Duplicate());
+		}
+
+	else
+		return make_intrusive<Case>(nullptr, type_cases, s->Duplicate());
+	}
+
+
+StmtPtr SwitchStmt::Duplicate()
+	{
+	auto new_cases = new case_list;
+
+	loop_over_list(*cases, i)
+		new_cases->append((*cases)[i]->Duplicate().release());
+
+	return SetSucc(new SwitchStmt(e->Duplicate(), new_cases));
+	}
+
+void SwitchStmt::Inline(Inliner* inl)
+	{
+	ExprStmt::Inline(inl);
+
+	for ( auto c : *cases )
+		// In principle this can do the operation multiple times
+		// for a given body, but that's no big deal as repeated
+		// calls won't do anything.
+		c->Body()->Inline(inl);
+	}
+
+
+StmtPtr AddStmt::Duplicate()
+	{
+	return SetSucc(new AddStmt(e->Duplicate()));
+	}
+
+
+StmtPtr DelStmt::Duplicate()
+	{
+	return SetSucc(new DelStmt(e->Duplicate()));
+	}
+
+
+StmtPtr EventStmt::Duplicate()
+	{
+	return SetSucc(new EventStmt(e->Duplicate()->AsEventExprPtr()));
+	}
+
+
+StmtPtr WhileStmt::Duplicate()
+	{
+	return SetSucc(new WhileStmt(loop_condition->Duplicate(),
+					body->Duplicate()));
+	}
+
+void WhileStmt::Inline(Inliner* inl)
+	{
+	loop_condition = loop_condition->Inline(inl);
+
+	if ( loop_cond_stmt )
+		loop_cond_stmt->Inline(inl);
+	if ( body )
+		body->Inline(inl);
+	}
+
+
+StmtPtr ForStmt::Duplicate()
+	{
+	auto expr_copy = e->Duplicate();
+
+	auto new_loop_vars = new zeek::IDPList;
+	loop_over_list(*loop_vars, i)
+		{
+		auto id = (*loop_vars)[i];
+		zeek::Ref(id);
+		new_loop_vars->append(id);
+		}
+
+	ForStmt* f;
+	if ( value_var )
+		f = new ForStmt(new_loop_vars, expr_copy, value_var);
+	else
+		f = new ForStmt(new_loop_vars, expr_copy);
+
+	f->AddBody(body->Duplicate());
+
+	return SetSucc(f);
+	}
+
+void ForStmt::Inline(Inliner* inl)
+	{
+	ExprStmt::Inline(inl);
+	body->Inline(inl);
+	}
+
+
+StmtPtr ReturnStmt::Duplicate()
+	{
+	return SetSucc(new ReturnStmt(e ? e->Duplicate() : nullptr, true));
+	}
+
+ReturnStmt::ReturnStmt(ExprPtr arg_e, bool ignored)
+	: ExprStmt(STMT_RETURN, std::move(arg_e))
+        {
+        }
+
+
+StmtPtr StmtList::Duplicate()
+	{
+	auto new_sl = new StmtList();
+
+	for ( auto& stmt : Stmts() )
+		new_sl->Stmts().push_back(stmt->Duplicate().release());
+
+	return SetSucc(new_sl);
+	}
+
+void StmtList::Inline(Inliner* inl)
+	{
+	for ( const auto& stmt : Stmts() )
+		stmt->Inline(inl);
+	}
+
+
+StmtPtr InitStmt::Duplicate()
+	{
+	// Need to duplicate the initializer list since later reductions
+	// can modify it in place.
+	std::vector<IDPtr> new_inits;
+	for ( auto id : inits )
+		new_inits.push_back(id);
+
+	return SetSucc(new InitStmt(new_inits));
+	}
+
+
+StmtPtr WhenStmt::Duplicate()
+	{
+	auto cond_d = cond->Duplicate();
+	auto s1_d = s1->Duplicate();
+	auto s2_d = s2 ? s2->Duplicate() : nullptr;
+	auto timeout_d = timeout ? timeout->Duplicate() : nullptr;
+
+	return SetSucc(new WhenStmt(cond_d, s1_d, s2_d, timeout_d, is_return));
+	}
+
+void WhenStmt::Inline(Inliner* inl)
+	{
+	// Don't inline, since we currently don't correctly capture
+	// the frames of closures.
+	}
+
+
+} // namespace zeek::detail

src/script_opt/StmtOpt-Private.h

@@ -0,0 +1,13 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Private (protected) Stmt methods and member varibles associated
+// with script optimization.  See script_opt/ExprOpt-public.h for
+// why these aren't factored into a separate class.
+//
+// Right now, this file is small, but it will grow as we expand into
+// other forms of script optimization.
+
+	// The original statement from which this statement was
+	// derived, if any.  Used as an aid for generating meaningful
+	// and correctly-localized error messages.
+	StmtPtr original = nullptr;

src/script_opt/StmtOpt-Public.h

@@ -0,0 +1,37 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Stmt methods and member varibles associated with script optimization.
+// See script_opt/ExprOpt-public.h for why these aren't factored into a
+// separate class.
+
+	// Returns a duplicate of the statement.
+	virtual StmtPtr Duplicate() = 0;
+
+	// Recursively traverses the AST to inline eligible function calls.
+	virtual void Inline(Inliner* inl)	{ }
+
+	// Access to the original statement from which this one is derived,
+	// or this one if we don't have an original.  Returns a bare pointer
+	// rather than a StmtPtr to emphasize that the access is read-only.
+	const Stmt* Original() const
+		{ return original ? original->Original() : this; }
+
+	// Designate the given Stmt node as the original for this one.
+	void SetOriginal(StmtPtr _orig)
+		{
+		if ( ! original )
+			original = std::move(_orig);
+		}
+
+	// A convenience function for taking a newly-created Stmt,
+	// making it point to us as the successor, and returning it.
+	//
+	// Takes a Stmt* rather than a StmtPtr to de-clutter the calling
+	// code, which is always passing in "new XyzStmt(...)".  This
+	// call, as a convenient side effect, transforms that bare pointer
+	// into a StmtPtr.
+	virtual StmtPtr SetSucc(Stmt* succ)
+		{
+		succ->SetOriginal({NewRef{}, this});
+		return {AdoptRef{}, succ};
+		}

src/zeek-setup.cc

@@ -54,6 +54,8 @@ extern "C" {
 #include "zeek/ScannedFile.h"
 #include "zeek/Frag.h"
 
+#include "zeek/script_opt/ScriptOpt.h"
+
 #include "zeek/supervisor/Supervisor.h"
 #include "zeek/threading/Manager.h"
 #include "zeek/input/Manager.h"
@@ -788,6 +790,14 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 			}
 		}
 
+	analyze_scripts(options);
+
+	auto& analysis_options = options.analysis_options;
+
+	if ( analysis_options.report_recursive )
+		// This option is report-and-exit.
+		return {0, std::move(options), true};
+
 	if ( dns_type != DNS_PRIME )
 		run_state::detail::init_run(options.interface, options.pcap_file, options.pcap_output_file, options.use_watchdog);
 

src/zeek-setup.h

@@ -9,6 +9,7 @@ namespace zeek::detail {
 struct SetupResult {
 	int code = 0;
 	Options options;
+	bool parse_only = false;
 };
 
 /**

src/zeek.bif

@@ -2333,7 +2333,7 @@ function backtrace%(%): Backtrace
 
 		if ( ci.call )
 			{
-			auto loc = ci.call->GetLocationInfo();
+			auto loc = ci.call->Original()->GetLocationInfo();
 			elem->Assign<StringVal>(file_location_idx, loc->filename);
 			elem->Assign(line_location_idx, val_mgr->Count(loc->first_line));
 			}

testing/btest/Baseline.dup/broker.store.invalid-handle/out

@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+expression error in <...>/invalid-handle.zeek, lines 16-22: invalid Broker store handle (0), during call: (Broker::is_closed(a))
+error in <...>/invalid-handle.zeek, lines 4-14: invalid Broker store handle (Broker::keys(a) and 0)
+keys, [status=Broker::FAILURE, result=[data=<uninitialized>]]

testing/btest/Baseline.dup/coverage.zeek-profiler-file/step1.out

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+0	./profiling-test1.zeek, line 2	print new conn;

testing/btest/Baseline.dup/coverage.zeek-profiler-file/step2.out

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+0	./profiling-test1.zeek, line 2	print new conn;

testing/btest/Baseline.dup/coverage.zeek-profiler-file/step3.out

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+0	./profiling-test1.zeek, line 2	print new conn;
+0	./profiling-test2.zeek, line 2	print new conn;

testing/btest/Baseline.dup/language.deprecated/no-warnings.out

@@ -0,0 +1,41 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+warning in ./no-warnings.zeek, line 27: deprecated (ONE)
+warning in ./no-warnings.zeek, line 28: deprecated (TWO)
+warning in ./no-warnings.zeek, line 30: deprecated (GREEN)
+warning in ./no-warnings.zeek, line 31: deprecated (BLUE)
+warning in ./no-warnings.zeek, line 33: deprecated (blah)
+warning in ./no-warnings.zeek, line 37: deprecated (my_event)
+warning in ./no-warnings.zeek, line 38: deprecated (my_event)
+warning in ./no-warnings.zeek, line 39: deprecated (my_hook)
+warning in ./no-warnings.zeek, line 41: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 42: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 43: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 45: deprecated (my_record?$b)
+warning in ./no-warnings.zeek, line 46: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 49: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 50: deprecated (my_record?$b)
+warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 50: deprecated (my_record?$b)
+warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
+warning in ./no-warnings.zeek, line 52: deprecated (my_event)
+warning in ./no-warnings.zeek, line 57: deprecated (my_hook)
+warning in ./no-warnings.zeek, line 62: deprecated (blah)
+warning in ./no-warnings.zeek, line 71: deprecated (dont_use_me)
+warning in ./no-warnings.zeek, line 76: deprecated (dont_use_me_either)
+ZERO
+ONE
+TWO
+RED
+GREEN
+BLUE
+generate my_hook please
+generate my_event please
+schedule my_event please

testing/btest/Baseline.dup/language.deprecated/warnings.out

@@ -0,0 +1,41 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+warning in ./warnings.zeek, line 27: deprecated (ONE): one warning
+warning in ./warnings.zeek, line 28: deprecated (TWO): two warning
+warning in ./warnings.zeek, line 30: deprecated (GREEN): green warning
+warning in ./warnings.zeek, line 31: deprecated (BLUE): red warning
+warning in ./warnings.zeek, line 33: deprecated (blah): type warning
+warning in ./warnings.zeek, line 37: deprecated (my_event): event warning
+warning in ./warnings.zeek, line 38: deprecated (my_event): event warning
+warning in ./warnings.zeek, line 39: deprecated (my_hook): hook warning
+warning in ./warnings.zeek, line 41: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 42: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 43: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 45: deprecated (my_record?$b): record warning
+warning in ./warnings.zeek, line 46: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 49: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 50: deprecated (my_record?$b): record warning
+warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 50: deprecated (my_record?$b): record warning
+warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
+warning in ./warnings.zeek, line 52: deprecated (my_event): event warning
+warning in ./warnings.zeek, line 57: deprecated (my_hook): hook warning
+warning in ./warnings.zeek, line 62: deprecated (blah): type warning
+warning in ./warnings.zeek, line 71: deprecated (dont_use_me): global function warning
+warning in ./warnings.zeek, line 76: deprecated (dont_use_me_either): function warning
+ZERO
+ONE
+TWO
+RED
+GREEN
+BLUE
+generate my_hook please
+generate my_event please
+schedule my_event please

testing/btest/Baseline.inline/bifs.backtrace/out

@@ -0,0 +1,7 @@
+
+--- Backtrace ---
+
+--- Backtrace ---
+
+
+--- Backtrace ---

testing/btest/Baseline.inline/broker.store.invalid-handle/out

@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+expression error in <no location>: invalid Broker store handle (0), during call: (Broker::__is_closed(Broker::h))
+error in <...>/invalid-handle.zeek, line 6: invalid Broker store handle (Broker::keys(a) and 0)
+keys, [status=Broker::FAILURE, result=[data=<uninitialized>]]

testing/btest/Baseline.inline/language.index-assignment-invalid/out

@@ -0,0 +1,5 @@
+runtime error in /Users/vern/warehouse/zeek-bvu-change/scripts/base/utils/queue.zeek, line 152: vector index assignment failed for invalid type 'myrec', value: [a=T, b=hi, c=<uninitialized>], expression: Queue::ret[Queue::j], call stack: 
+ #0 zeek_init() 
+
+
+

testing/btest/Baseline.inline/plugins.func-hook/output

@@ -0,0 +1 @@
+foo, 1, 2, 3, yo

testing/btest/Baseline.inline/plugins.legacy-func-hook/output

@@ -0,0 +1 @@
+foo, 1, 2, 3, yo

testing/btest/Baseline.inline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout

@@ -0,0 +1,9 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error: file ID asdf not a known file
+This should fail but not crash
+This should return F
+F
+lookup fid: FMnxxt3xjVcWNS2141
+We should have found the file id: FMnxxt3xjVcWNS2141
+This should return T
+T

testing/btest/Baseline.inline/scripts.base.frameworks.input.raw.basic/out

@@ -0,0 +1,160 @@
+[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (8 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
+[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (8 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
+[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (8 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+q3r3057fdf
+[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (8 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+sdfs\d
+[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (8 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+
+[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (8 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+dfsdf
+[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (8 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+sdf
+[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (8 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+3rw43wRRERLlL#RWERERERE.

testing/btest/Baseline.inline/scripts.base.frameworks.input.raw.execute/out

@@ -0,0 +1,15 @@
+[source=wc -l ../input.log |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=Val, want_record=F, ev=line
+{ 
+print outfile, description;
+print outfile, tpe;
+print outfile, s;
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+8 ../input.log

testing/btest/Baseline.inline/scripts.base.frameworks.input.raw.rereadraw/out

@@ -0,0 +1,320 @@
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+q3r3057fdf
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+sdfs\d
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+dfsdf
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+sdf
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+3rw43wRRERLlL#RWERERERE.
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+q3r3057fdf
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+sdfs\d
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+dfsdf
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+sdf
+[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
+{ 
+print outfile, A::description;
+print outfile, A::tpe;
+print outfile, A::s;
+try = try + 1;
+if (16 == try) 
+{ 
+inline(input){{ 
+return (Input::__remove_stream(Input::id));
+}};
+close(outfile);
+terminate();
+}
+
+}, error_ev=<uninitialized>, config={
+
+}]
+Input::EVENT_NEW
+3rw43wRRERLlL#RWERERERE.

testing/btest/Baseline.inline/scripts.policy.misc.dump-events/all-events-no-args.log

@@ -0,0 +1,236 @@
+         0.000000 zeek_init
+         0.000000 NetControl::init
+         0.000000 filter_change_tracking
+1254722767.492060 Broker::log_flush
+1254722767.492060 ChecksumOffloading::check
+1254722767.492060 filter_change_tracking
+1254722767.492060 new_connection
+1254722767.492060 dns_message
+1254722767.492060 dns_request
+1254722767.492060 protocol_confirmation
+1254722767.492060 dns_end
+1254722767.526085 dns_message
+1254722767.526085 dns_CNAME_reply
+1254722767.526085 dns_A_reply
+1254722767.526085 dns_end
+1254722767.529046 new_connection
+1254722767.875996 connection_established
+1254722768.219663 smtp_reply
+1254722768.219663 smtp_reply
+1254722768.219663 smtp_reply
+1254722768.224809 protocol_confirmation
+1254722768.224809 smtp_request
+1254722768.565386 Broker::log_flush
+1254722768.566183 smtp_reply
+1254722768.566183 smtp_reply
+1254722768.566183 smtp_reply
+1254722768.566183 smtp_reply
+1254722768.566183 smtp_reply
+1254722768.566183 smtp_reply
+1254722768.568729 smtp_request
+1254722768.911081 smtp_reply
+1254722768.911655 smtp_request
+1254722769.253544 smtp_reply
+1254722769.254118 smtp_request
+1254722769.613798 Broker::log_flush
+1254722769.613798 smtp_reply
+1254722769.614414 smtp_request
+1254722769.956765 smtp_reply
+1254722769.957250 smtp_request
+1254722770.319708 smtp_reply
+1254722770.320203 smtp_request
+1254722770.320203 mime_begin_entity
+1254722770.661679 Broker::log_flush
+1254722770.661679 smtp_reply
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_begin_entity
+1254722770.692743 mime_one_header
+1254722770.692743 mime_begin_entity
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 get_file_handle
+1254722770.692743 file_new
+1254722770.692743 file_over_new_connection
+1254722770.692743 mime_end_entity
+1254722770.692743 get_file_handle
+1254722770.692743 file_sniff
+1254722770.692743 file_state_remove
+1254722770.692743 get_file_handle
+1254722770.692743 mime_begin_entity
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 get_file_handle
+1254722770.692743 file_new
+1254722770.692743 file_over_new_connection
+1254722770.692804 mime_end_entity
+1254722770.692804 get_file_handle
+1254722770.692804 file_sniff
+1254722770.692804 file_state_remove
+1254722770.692804 get_file_handle
+1254722770.692804 mime_end_entity
+1254722770.692804 get_file_handle
+1254722770.692804 get_file_handle
+1254722770.692804 mime_begin_entity
+1254722770.692804 mime_one_header
+1254722770.692804 mime_one_header
+1254722770.692804 mime_one_header
+1254722770.692804 get_file_handle
+1254722770.692804 file_new
+1254722770.692804 file_over_new_connection
+1254722770.695115 new_connection
+1254722771.494181 file_sniff
+1254722771.834595 Broker::log_flush
+1254722771.858334 mime_end_entity
+1254722771.858334 get_file_handle
+1254722771.858334 file_state_remove
+1254722771.858334 get_file_handle
+1254722771.858334 mime_end_entity
+1254722771.858334 get_file_handle
+1254722771.858334 get_file_handle
+1254722771.858334 get_file_handle
+1254722771.858334 get_file_handle
+1254722771.858334 smtp_request
+1254722772.248789 smtp_reply
+1254722774.763825 Broker::log_flush
+1254722774.763825 smtp_request
+1254722775.105467 smtp_reply
+1254722776.690444 Broker::log_flush
+1254722776.690444 new_connection
+1437831776.764391 ChecksumOffloading::check
+1437831776.764391 connection_state_remove
+1437831776.764391 Broker::log_flush
+1437831776.764391 connection_state_remove
+1437831776.764391 connection_state_remove
+1437831776.764391 connection_state_remove
+1437831776.764391 filter_change_tracking
+1437831776.764391 new_connection
+1437831787.856895 Broker::log_flush
+1437831787.856895 new_connection
+1437831787.861602 connection_established
+1437831787.867142 smtp_reply
+1437831787.883306 protocol_confirmation
+1437831787.883306 smtp_request
+1437831787.886281 smtp_reply
+1437831787.886281 smtp_reply
+1437831787.886281 smtp_reply
+1437831787.886281 smtp_reply
+1437831787.887031 smtp_request
+1437831787.889785 smtp_reply
+1437831787.890232 smtp_request
+1437831787.892986 smtp_reply
+1437831787.893587 smtp_request
+1437831787.897624 smtp_reply
+1437831787.898413 smtp_request
+1437831787.901069 smtp_reply
+1437831787.901697 smtp_request
+1437831787.901697 mime_begin_entity
+1437831787.904758 smtp_reply
+1437831787.905375 mime_one_header
+1437831787.905375 mime_one_header
+1437831787.905375 mime_one_header
+1437831787.905375 mime_one_header
+1437831787.905375 mime_one_header
+1437831787.905375 mime_one_header
+1437831787.905375 mime_one_header
+1437831787.905375 mime_one_header
+1437831787.905375 mime_one_header
+1437831787.905375 mime_one_header
+1437831787.905375 mime_one_header
+1437831787.905375 mime_one_header
+1437831787.905375 get_file_handle
+1437831787.905375 file_new
+1437831787.905375 file_over_new_connection
+1437831787.905375 mime_end_entity
+1437831787.905375 get_file_handle
+1437831787.905375 file_sniff
+1437831787.905375 file_state_remove
+1437831787.905375 get_file_handle
+1437831787.905375 get_file_handle
+1437831787.905375 get_file_handle
+1437831787.905375 smtp_request
+1437831787.914113 smtp_reply
+1437831798.533593 Broker::log_flush
+1437831798.533593 new_connection
+1437831799.262632 new_connection
+1437831799.461152 new_connection
+1437831799.610433 Broker::log_flush
+1437831799.610433 connection_established
+1437831799.611764 ssl_extension_server_name
+1437831799.611764 ssl_extension
+1437831799.611764 ssl_extension
+1437831799.611764 ssl_extension
+1437831799.611764 ssl_extension
+1437831799.611764 ssl_extension
+1437831799.611764 protocol_confirmation
+1437831799.611764 ssl_client_hello
+1437831799.611764 ssl_handshake_message
+1437831799.611764 ssl_plaintext_data
+1437831799.764576 ssl_extension
+1437831799.764576 ssl_server_hello
+1437831799.764576 ssl_handshake_message
+1437831799.764576 file_new
+1437831799.764576 file_over_new_connection
+1437831799.764576 file_sniff
+1437831799.764576 file_hash
+1437831799.764576 file_hash
+1437831799.764576 x509_certificate
+1437831799.764576 x509_extension
+1437831799.764576 x509_extension
+1437831799.764576 x509_extension
+1437831799.764576 x509_ext_basic_constraints
+1437831799.764576 x509_extension
+1437831799.764576 x509_extension
+1437831799.764576 x509_extension
+1437831799.764576 x509_extension
+1437831799.764576 x509_extension
+1437831799.764576 x509_extension
+1437831799.764576 x509_ext_subject_alternative_name
+1437831799.764576 file_hash
+1437831799.764576 file_state_remove
+1437831799.764576 file_new
+1437831799.764576 file_over_new_connection
+1437831799.764576 file_sniff
+1437831799.764576 file_hash
+1437831799.764576 file_hash
+1437831799.764576 x509_certificate
+1437831799.764576 x509_extension
+1437831799.764576 x509_extension
+1437831799.764576 x509_extension
+1437831799.764576 x509_ext_basic_constraints
+1437831799.764576 x509_extension
+1437831799.764576 x509_extension
+1437831799.764576 x509_extension
+1437831799.764576 x509_extension
+1437831799.764576 file_hash
+1437831799.764576 file_state_remove
+1437831799.764576 ssl_handshake_message
+1437831799.764576 ssl_handshake_message
+1437831799.764576 ssl_plaintext_data
+1437831799.838196 ssl_handshake_message
+1437831799.838196 ssl_plaintext_data
+1437831799.838197 ssl_change_cipher_spec
+1437831799.838197 ssl_plaintext_data
+1437831800.045701 ssl_change_cipher_spec
+1437831800.045701 ssl_plaintext_data
+1437831800.045701 ssl_established
+1437831800.217854 net_done
+1437831800.217854 Broker::log_flush
+1437831800.217854 filter_change_tracking
+1437831800.217854 connection_state_remove
+1437831800.217854 connection_state_remove
+1437831800.217854 connection_state_remove
+1437831800.217854 connection_state_remove
+1437831800.217854 connection_state_remove
+1437831800.217854 zeek_done
+1437831800.217854 ChecksumOffloading::check

testing/btest/Baseline.inline/scripts.policy.misc.dump-events/smtp-events.log

@@ -0,0 +1,320 @@
+1254722768.219663 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 
+                  [5] cont_resp: bool    = T
+
+1254722768.219663 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = We do not authorize the use of this system to transport unsolicited, 
+                  [5] cont_resp: bool    = T
+
+1254722768.219663 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = and/or bulk e-mail.
+                  [5] cont_resp: bool    = F
+
+1254722768.224809 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=695.0 msecs 762.872696 usecs, service={\x0aSMTP\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = EHLO
+                  [3] arg: string        = GP
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = xc90.websitewelcome.com Hello GP [122.162.143.157]
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = SIZE 52428800
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = PIPELINING
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = AUTH PLAIN LOGIN
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = STARTTLS
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = HELP
+                  [5] cont_resp: bool    = F
+
+1254722768.568729 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 39.0 msecs 682.865143 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = AUTH
+                  [3] arg: string        = LOGIN
+
+1254722768.911081 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 382.0 msecs 35.017014 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 334
+                  [3] cmd: string        = AUTH
+                  [4] msg: string        = VXNlcm5hbWU6
+                  [5] cont_resp: bool    = F
+
+1254722768.911655 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 382.0 msecs 608.890533 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = **
+                  [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
+
+1254722769.253544 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 724.0 msecs 498.033524 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 334
+                  [3] cmd: string        = AUTH_ANSWER
+                  [4] msg: string        = UGFzc3dvcmQ6
+                  [5] cont_resp: bool    = F
+
+1254722769.254118 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 725.0 msecs 71.907043 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = **
+                  [3] arg: string        = cHVuamFiQDEyMw==
+
+1254722769.613798 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 84.0 msecs 751.844406 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 235
+                  [3] cmd: string        = AUTH_ANSWER
+                  [4] msg: string        = Authentication succeeded
+                  [5] cont_resp: bool    = F
+
+1254722769.614414 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 85.0 msecs 367.918015 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = MAIL
+                  [3] arg: string        = FROM: <gurpartap@patriots.in>
+
+1254722769.956765 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 427.0 msecs 718.877792 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = MAIL
+                  [4] msg: string        = OK
+                  [5] cont_resp: bool    = F
+
+1254722769.957250 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 428.0 msecs 204.059601 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = RCPT
+                  [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
+
+1254722770.319708 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 790.0 msecs 662.050247 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = RCPT
+                  [4] msg: string        = Accepted
+                  [5] cont_resp: bool    = F
+
+1254722770.320203 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 791.0 msecs 157.007217 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = DATA
+                  [3] arg: string        = 
+
+1254722770.661679 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.0 secs 132.0 msecs 632.97081 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 354
+                  [3] cmd: string        = DATA
+                  [4] msg: string        = Enter message, ending with "." on a line by itself
+                  [5] cont_resp: bool    = F
+
+1254722771.858334 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = .
+                  [3] arg: string        = .
+
+1254722772.248789 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.0 secs 719.0 msecs 743.013382 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = .
+                  [4] msg: string        = OK id=1Mugho-0003Dg-Un
+                  [5] cont_resp: bool    = F
+
+1254722774.763825 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.0 secs 234.0 msecs 778.881073 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = QUIT
+                  [3] arg: string        = 
+
+1254722775.105467 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.0 secs 576.0 msecs 421.022415 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 221
+                  [3] cmd: string        = QUIT
+                  [4] msg: string        = xc90.websitewelcome.com closing connection
+                  [5] cont_resp: bool    = F
+
+1437831787.867142 smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=10.0 msecs 246.992111 usecs, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = uprise ESMTP SubEthaSMTP null
+                  [5] cont_resp: bool    = F
+
+1437831787.883306 smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=26.0 msecs 411.056519 usecs, service={\x0aSMTP\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = EHLO
+                  [3] arg: string        = [192.168.133.100]
+
+1437831787.886281 smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = uprise
+                  [5] cont_resp: bool    = T
+
+1437831787.886281 smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = 8BITMIME
+                  [5] cont_resp: bool    = T
+
+1437831787.886281 smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = AUTH LOGIN
+                  [5] cont_resp: bool    = T
+
+1437831787.886281 smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = Ok
+                  [5] cont_resp: bool    = F
+
+1437831787.887031 smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=30.0 msecs 136.108398 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = MAIL
+                  [3] arg: string        = FROM:<albert@example.com>
+
+1437831787.889785 smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=32.0 msecs 890.081406 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = MAIL
+                  [4] msg: string        = Ok
+                  [5] cont_resp: bool    = F
+
+1437831787.890232 smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=33.0 msecs 337.116241 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = RCPT
+                  [3] arg: string        = TO:<ericlim220@yahoo.com>
+
+1437831787.892986 smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=36.0 msecs 91.089249 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = RCPT
+                  [4] msg: string        = Ok
+                  [5] cont_resp: bool    = F
+
+1437831787.893587 smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=36.0 msecs 692.142487 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = RCPT
+                  [3] arg: string        = TO:<felica4uu@hotmail.com>
+
+1437831787.897624 smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=40.0 msecs 729.045868 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = RCPT
+                  [4] msg: string        = Ok
+                  [5] cont_resp: bool    = F
+
+1437831787.898413 smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=41.0 msecs 517.972946 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = RCPT
+                  [3] arg: string        = TO:<davis_mark1@outlook.com>
+
+1437831787.901069 smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=44.0 msecs 173.955917 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = RCPT
+                  [4] msg: string        = Ok
+                  [5] cont_resp: bool    = F
+
+1437831787.901697 smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=44.0 msecs 801.950455 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = DATA
+                  [3] arg: string        = 
+
+1437831787.904758 smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=47.0 msecs 863.006592 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 354
+                  [3] cmd: string        = DATA
+                  [4] msg: string        = End data with <CR><LF>.<CR><LF>
+                  [5] cont_resp: bool    = F
+
+1437831787.905375 smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = .
+                  [3] arg: string        = .
+
+1437831787.914113 smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=57.0 msecs 218.074799 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = .
+                  [4] msg: string        = Ok
+                  [5] cont_resp: bool    = F
+

testing/btest/Baseline/opt.pure-inlining/output

@@ -0,0 +1,10 @@
+non_recursiveA\x0a{ \x0areturn (x + (coerce 2 to double) * y);\x0a}
+non_recursiveB\x0a{ \x0areturn (x + (coerce 3 to double) * non_recursiveA(y, x));\x0a}
+recursive\x0a{ \x0aif (0 < n) \x0a\x09return (recursive(n - 1, k + 1) * n);\x0aelse\x0a\x09return (k);\x0a\x0a}
+mutually_recursiveA\x0a{ \x0aif (0 < n) \x0a\x09return (mutually_recursiveB(n - 1, k + 1) * n);\x0aelse\x0a\x09return (k);\x0a\x0a}
+mutually_recursiveB\x0a{ \x0areturn (mutually_recursiveA(n, k + 1));\x0a}
+my_handler\x0a{ \x0aprint inline((coerce -3 to double), (coerce 2 to double)){{ \x0areturn (x + (coerce 2 to double) * y);\x0a}};\x0aprint inline((coerce -3 to double), (coerce 2 to double)){{ \x0areturn (x + (coerce 3 to double) * inline(y, x){{ \x0areturn (x + (coerce 2 to double) * y);\x0a}});\x0a}};\x0aprint recursive(5, 7);\x0aprint mutually_recursiveA(6, 4);\x0a}
+1.0
+-15.0
+1440
+11520

testing/btest/btest.cfg

@@ -32,3 +32,37 @@ ZEEK_DISABLE_ZEEKYGEN=1
 ZEEK_ALLOW_INIT_ERRORS=1
 ZEEK_SUPERVISOR_NO_SIGKILL=1
 UBSAN_OPTIONS=print_stacktrace=1
+
+[environment-AST-dup]
+# Environment for testing AST duplication functionality, which is
+# needed for script optimization but isn't otherwise exercised.
+#
+# 5 tests differ, for the following reasons:
+#
+# language.deprecated
+#	Some deprecation messages get reported multiple times, first when
+#	constructing the original AST node, and then when duplicating it.
+#
+# scripts.base.frameworks.input.reread
+# plugins.hooks
+#	When lambdas are duplicated they get a new UID, which differs
+#	from the original.
+#
+# broker.store.invalid-handle
+#	Line numbers in some error messages differ.  The duplicated
+#	ones are "wider" (entire function) than the originals.  Most
+#	such differences have been already fixed; this one is a bit
+#	puzzling, but doesn't seem worth trying to fix.
+#
+# coverage.zeek-profiler-file
+#	Not sure what's going on here, but best guess the problem is
+#	that the coverage tracking is looking for execution of the
+#	original statements and is not able to associate the duplicated
+#	statements with these.  Doesn't seem worth trying to fix.
+#
+ZEEK_DUPLICATE_ASTS=1
+BTEST_BASELINE_DIR=%(testbase)s/Baseline.dup:%(testbase)s/Baseline
+
+[environment-inline]
+ZEEK_INLINE=1
+BTEST_BASELINE_DIR=%(testbase)s/Baseline.inline:%(testbase)s/Baseline

testing/btest/opt/pure-inlining.zeek

@@ -0,0 +1,67 @@
+# @TEST-EXEC: zeek -b -O inline %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# Tests pure inlining of scripts (no other optimization/compilation used).
+# The non-recursive functions should be (recursively!) inlined into the
+# body of my_handler, while neither the directly-recursive nor the
+# mutually recursive ones should be.  We print out each function body
+# in its transformed form (format %S) to test this.
+
+function non_recursiveA(x: double, y: double): double
+	{
+	return x + 2 * y;
+	}
+
+function non_recursiveB(x: double, y: double): double
+	{
+	# When printed, this function's body will *not* indicate inlining,
+	# because this function is itself inlined (and thus will not be
+	# called directly, so we avoid the work of inlining it itself).
+	#
+	# We reverse arguments in the call to make sure that parameters get
+	# correctly assigned when executing inlined blocks.
+	return x + non_recursiveA(y, x) * 3;
+	}
+
+function recursive(n: count, k: count): count
+	{
+	if ( n > 0 )
+		return n * recursive(n-1, k + 1);
+	else
+		return k;
+	}
+
+global mutually_recursiveB: function(n: count, k: count): count;
+
+function mutually_recursiveA(n: count, k: count): count
+	{
+	if ( n > 0 )
+		return n * mutually_recursiveB(n-1, k + 1);
+	else
+		return k;
+	}
+
+function mutually_recursiveB(n: count, k: count): count
+	{
+	return mutually_recursiveA(n, k + 1);
+	}
+
+event my_handler()
+	{
+	print non_recursiveA(-3, 2);
+	print non_recursiveB(-3, 2);
+	print recursive(5, 7);
+	print mutually_recursiveA(6, 4);
+	}
+
+event zeek_init()
+	{
+	print fmt("%S", non_recursiveA);
+	print fmt("%S", non_recursiveB);
+	print fmt("%S", recursive);
+	print fmt("%S", mutually_recursiveA);
+	print fmt("%S", mutually_recursiveB);
+	print fmt("%S", my_handler);
+
+	event my_handler();
+	}

testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.zeek

@@ -6,6 +6,9 @@
 event zeek_init()
 	{
 	print "This should fail but not crash";
+	# The following produces a run-time warning, "non-void function
+	# returning without a value" ... but not when inlined, since then
+	# there's no call to a script function occurring.
 	print Files::lookup_file("asdf");
 
 	print "This should return F";