Merge remote-tracking branch 'origin/topic/timw/open-dict'

* origin/topic/timw/open-dict: (40 commits) Move Dict constants to detail namespace Add a few missing deprecation fixes Adjust Dict whitespace/style Adjust more btest timings Improve termination reliability/speed for brokerstore btests General btest cleanup Update NEWS about change in Dictionary implementation Improve Intel expire-item btest to be less time-sensitive Improve btests with unstable table/set output ordering Update doc submodule Adjust a few btests that were unstable due to time-sensitivity Fix DNS script deleting a table element while iterating Improve a brokerstore btest to filter out Broker connection messages Sort output of a few SumStats cluster tests Fix extract_first_email_addr() to really return the first email Add find_all_ordered() BIF Extend external test suite canonifier with set-sorting logic Update btests/baselines for OpenDict compat Fix new/malloc/delete/free mismatches in Dictionary code Add explanation for a Dict TODO item ...
2025-10-07 17:18:20 +00:00 · 2020-08-11 11:34:17 -07:00 · 2020-08-11 11:34:17 -07:00 · c6e7d14757
commit c6e7d14757
parent 6e7ff1e980 47f3eb69fa
551 changed files with 5191 additions and 4046 deletions
--- a/testing/btest/scripts/base/protocols/arp/bad.test
+++ b/testing/btest/scripts/base/protocols/arp/bad.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -r $TRACES/arp-leak.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/arp-leak.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
--- a/testing/btest/scripts/base/protocols/arp/basic.test
+++ b/testing/btest/scripts/base/protocols/arp/basic.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -r $TRACES/arp-who-has.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/arp-who-has.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
--- a/testing/btest/scripts/base/protocols/arp/radiotap.test
+++ b/testing/btest/scripts/base/protocols/arp/radiotap.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -r $TRACES/arp-who-has-radiotap.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/arp-who-has-radiotap.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
--- a/testing/btest/scripts/base/protocols/arp/wlanmon.test
+++ b/testing/btest/scripts/base/protocols/arp/wlanmon.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
--- a/testing/btest/scripts/base/protocols/conn/contents-default-extract.test
+++ b/testing/btest/scripts/base/protocols/conn/contents-default-extract.test
@ -1,3 +1,3 @@
-# @TEST-EXEC: zeek -f "tcp port 21" -r $TRACES/ftp/ipv6.trace "Conn::default_extract=T"
+# @TEST-EXEC: zeek -b -f "tcp port 21" -r $TRACES/ftp/ipv6.trace base/protocols/conn "Conn::default_extract=T"
 # @TEST-EXEC: btest-diff contents_[2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185-[2001:470:4867:99::21]:21_orig.dat
 # @TEST-EXEC: btest-diff contents_[2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185-[2001:470:4867:99::21]:21_resp.dat
--- a/testing/btest/scripts/base/protocols/conn/new_connection_contents.zeek
+++ b/testing/btest/scripts/base/protocols/conn/new_connection_contents.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/irc-dcc-send.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event new_connection_contents(c: connection)
--- a/testing/btest/scripts/base/protocols/conn/threshold-delete.zeek
+++ b/testing/btest/scripts/base/protocols/conn/threshold-delete.zeek
@ -1,9 +1,11 @@
-# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/irc-dcc-send.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
 # @TEST-EXEC: btest-diff .stderr
 #
 # This tests that no events are raised once all thresholds have been deleted.

+@load base/protocols/conn
+
 event connection_established(c: connection)
 	{
 	ConnThreshold::set_bytes_threshold(c, 1, T);
--- a/testing/btest/scripts/base/protocols/conn/threshold.zeek
+++ b/testing/btest/scripts/base/protocols/conn/threshold.zeek
@ -1,6 +1,8 @@
-# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/irc-dcc-send.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout

+@load base/protocols/conn
+
 event connection_established(c: connection)
 	{
 	print fmt("Threshold set for %s", cat(c$id));
--- a/testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest
@ -2,5 +2,7 @@
 # The trace has a message of each DHCP message type,
 # but only one lease should show up in the logs.

-# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT
 # @TEST-EXEC: btest-diff dhcp.log
+
+@load base/protocols/dhcp
--- a/testing/btest/scripts/base/protocols/dhcp/dhcp-all-msg-types.btest
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-all-msg-types.btest
@ -2,5 +2,7 @@
 # The trace has a message of each DHCP message type,
 # but only one lease should show up in the logs.

-# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/dhcp/dhcp.trace %INPUT
 # @TEST-EXEC: btest-diff dhcp.log
+
+@load base/protocols/dhcp
--- a/testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest
@ -2,5 +2,7 @@
 # The trace has a message of each DHCP message type,
 # but only one lease should show up in the logs.

-# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp_discover_param_req_and_client_id.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/dhcp/dhcp_discover_param_req_and_client_id.trace %INPUT
 # @TEST-EXEC: btest-diff dhcp.log
+
+@load base/protocols/dhcp
--- a/testing/btest/scripts/base/protocols/dhcp/dhcp-sub-opts.btest
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-sub-opts.btest
@ -1,2 +1,4 @@
-# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT protocols/dhcp/sub-opts
+# @TEST-EXEC: zeek -b -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT protocols/dhcp/sub-opts
 # @TEST-EXEC: btest-diff dhcp.log
+
+@load base/protocols/dhcp
--- a/testing/btest/scripts/base/protocols/dhcp/inform.test
+++ b/testing/btest/scripts/base/protocols/dhcp/inform.test
@ -1,5 +1,7 @@
 # DHCPINFORM leases are special-cased in the code.
 # This tests that those leases are correctly logged.

-# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp_inform.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/dhcp/dhcp_inform.trace %INPUT
 # @TEST-EXEC: btest-diff dhcp.log
+
+@load base/protocols/dhcp
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_del_measure.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_del_measure.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_en_spon.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_en_spon.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_file_del.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_file_del.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_file_read.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_file_read.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_file_write.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_file_write.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -C -r $TRACES/dnp3/dnp3_link_only.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -C -r $TRACES/dnp3/dnp3_link_only.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_read.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_read.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_read.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_read.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_rec_time.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_rec_time.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_select_operate.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_select_operate.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_write.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_write.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_write.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3_write.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/events.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/events.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3.trace %INPUT >output
+# @TEST-EXEC: zeek -b -r $TRACES/dnp3/dnp3.trace %INPUT >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
@ -7,6 +7,8 @@
 # @TEST-EXEC: btest-diff coverage
 # @TEST-EXEC: btest-diff dnp3.log
 #
+@load base/protocols/dnp3
+
 event dnp3_application_request_header(c: connection, is_orig: bool, application_control: count, fc: count)
 	{
 	print "dnp3_application_request_header", is_orig, application_control, fc;
--- a/testing/btest/scripts/base/protocols/dns/caa.zeek
+++ b/testing/btest/scripts/base/protocols/dns/caa.zeek
@ -1,6 +1,8 @@
-# @TEST-EXEC: zeek -r $TRACES/dns-caa.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/dns-caa.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

+@load base/protocols/dns
+
 event dns_CAA_reply(c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)
 	{
 	print flags,tag,value;
--- a/testing/btest/scripts/base/protocols/dns/dns-edns-ecs.zeek
+++ b/testing/btest/scripts/base/protocols/dns/dns-edns-ecs.zeek
@ -1,8 +1,8 @@
-# @TEST-EXEC: zeek -C -r $TRACES/dns-edns-ecs.pcap %INPUT > output
+# @TEST-EXEC: zeek -b -C -r $TRACES/dns-edns-ecs.pcap %INPUT > output
 # @TEST-EXEC: btest-diff output

@load policy/protocols/dns/auth-addl

 event dns_EDNS_ecs(c: connection, msg: dns_msg, opt: dns_edns_ecs) {
 	print opt;
-}
+}
--- a/testing/btest/scripts/base/protocols/dns/dns-key.zeek
+++ b/testing/btest/scripts/base/protocols/dns/dns-key.zeek
@ -1,4 +1,4 @@
 # Making sure DNSKEY gets logged as such.
 #
-# @TEST-EXEC: zeek -r $TRACES/dnssec/dnskey2.pcap
+# @TEST-EXEC: zeek -b -r $TRACES/dnssec/dnskey2.pcap base/protocols/dns
 # @TEST-EXEC: btest-diff dns.log
--- a/testing/btest/scripts/base/protocols/dns/dnskey.zeek
+++ b/testing/btest/scripts/base/protocols/dns/dnskey.zeek
@ -1,8 +1,8 @@
-# @TEST-EXEC: zeek -C -r $TRACES/dnssec/dnskey.pcap %INPUT > output
+# @TEST-EXEC: zeek -b -C -r $TRACES/dnssec/dnskey.pcap %INPUT > output
 # @TEST-EXEC: btest-diff dns.log
 # @TEST-EXEC: btest-diff output

-#@load policy/protocols/dns/auth-addl
+@load base/protocols/dns

 event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
 	{
--- a/testing/btest/scripts/base/protocols/dns/ds.zeek
+++ b/testing/btest/scripts/base/protocols/dns/ds.zeek
@ -1,8 +1,8 @@
-# @TEST-EXEC: zeek -C -r $TRACES/dnssec/ds.pcap %INPUT > output
+# @TEST-EXEC: zeek -b -C -r $TRACES/dnssec/ds.pcap %INPUT > output
 # @TEST-EXEC: btest-diff dns.log
 # @TEST-EXEC: btest-diff output

-#@load policy/protocols/dns/auth-addl
+@load base/protocols/dns

 event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
 	{
--- a/testing/btest/scripts/base/protocols/dns/duplicate-reponses.zeek
+++ b/testing/btest/scripts/base/protocols/dns/duplicate-reponses.zeek
@ -1,4 +1,4 @@
 # This tests the case where the DNS server responded with zero RRs.
 #
-# @TEST-EXEC: zeek -r $TRACES/dns-two-responses.trace
+# @TEST-EXEC: zeek -b -r $TRACES/dns-two-responses.trace base/protocols/dns
 # @TEST-EXEC: btest-diff dns.log
--- a/testing/btest/scripts/base/protocols/dns/flip.zeek
+++ b/testing/btest/scripts/base/protocols/dns/flip.zeek
@ -1,3 +1,3 @@
-# @TEST-EXEC: zeek -r $TRACES/dns53.pcap
+# @TEST-EXEC: zeek -b -r $TRACES/dns53.pcap base/protocols/dns
 # @TEST-EXEC: btest-diff dns.log
 # If the DNS reply is seen first, should be able to correctly set orig/resp.
--- a/testing/btest/scripts/base/protocols/dns/huge-ttl.zeek
+++ b/testing/btest/scripts/base/protocols/dns/huge-ttl.zeek
@ -1,6 +1,8 @@
-# @TEST-EXEC: zeek -r $TRACES/dns-huge-ttl.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/dns-huge-ttl.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

+@load base/protocols/dns
+
 event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
 	{
 	print ans;
--- a/testing/btest/scripts/base/protocols/dns/multiple-txt-strings.zeek
+++ b/testing/btest/scripts/base/protocols/dns/multiple-txt-strings.zeek
@ -1,4 +1,4 @@
 # This tests the case where the DNS server responded with zero RRs.
 #
-# @TEST-EXEC: zeek -r $TRACES/dns-txt-multiple.trace
+# @TEST-EXEC: zeek -b -r $TRACES/dns-txt-multiple.trace base/protocols/dns
 # @TEST-EXEC: btest-diff dns.log
--- a/testing/btest/scripts/base/protocols/dns/nsec.zeek
+++ b/testing/btest/scripts/base/protocols/dns/nsec.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/dnssec/nsec.pcap %INPUT > output
+# @TEST-EXEC: zeek -b -C -r $TRACES/dnssec/nsec.pcap %INPUT > output
 # @TEST-EXEC: btest-diff dns.log
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/dns/nsec3.zeek
+++ b/testing/btest/scripts/base/protocols/dns/nsec3.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/dnssec/nsec3.pcap %INPUT > output
+# @TEST-EXEC: zeek -b -C -r $TRACES/dnssec/nsec3.pcap %INPUT > output
 # @TEST-EXEC: btest-diff dns.log
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/dns/rrsig.zeek
+++ b/testing/btest/scripts/base/protocols/dns/rrsig.zeek
@ -1,8 +1,8 @@
-# @TEST-EXEC: zeek -C -r $TRACES/dnssec/rrsig.pcap %INPUT > output
+# @TEST-EXEC: zeek -b -C -r $TRACES/dnssec/rrsig.pcap %INPUT > output
 # @TEST-EXEC: btest-diff dns.log
 # @TEST-EXEC: btest-diff output

-#@load policy/protocols/dns/auth-addl
+@load base/protocols/dns

 event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
 	{
--- a/testing/btest/scripts/base/protocols/dns/tsig.zeek
+++ b/testing/btest/scripts/base/protocols/dns/tsig.zeek
@ -1,6 +1,8 @@
-# @TEST-EXEC: zeek -r $TRACES/dns-tsig.trace %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/dns-tsig.trace %INPUT >out
 # @TEST-EXEC: btest-diff out

+@load base/protocols/dns
+
 redef dns_skip_all_addl = F;

 event dns_TSIG_addl(c: connection, msg: dns_msg, ans: dns_tsig_additional)
--- a/testing/btest/scripts/base/protocols/dns/zero-responses.zeek
+++ b/testing/btest/scripts/base/protocols/dns/zero-responses.zeek
@ -1,4 +1,4 @@
 # This tests the case where the DNS server responded with zero RRs.
 #
-# @TEST-EXEC: zeek -r $TRACES/dns-zero-RRs.trace
-# @TEST-EXEC: btest-diff dns.log
+# @TEST-EXEC: zeek -b -r $TRACES/dns-zero-RRs.trace base/protocols/dns
+# @TEST-EXEC: btest-diff dns.log
--- a/testing/btest/scripts/base/protocols/ftp/bad-adat-encoding.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/bad-adat-encoding.zeek
@ -1,2 +1,5 @@
-# @TEST-EXEC: zeek -C -r $TRACES/globus-url-copy-bad-encoding.trace %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/globus-url-copy-bad-encoding.trace %INPUT
 # @TEST-EXEC: btest-diff weird.log
+
+@load base/protocols/ftp
+@load base/frameworks/notice/weird
--- a/testing/btest/scripts/base/protocols/ftp/cwd-navigation.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/cwd-navigation.zeek
@ -1,8 +1,12 @@
-# @TEST-EXEC: zeek -r $TRACES/ftp/cwd-navigation.pcap >output.log %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/ftp/cwd-navigation.pcap >output.log %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ftp.log
 # @TEST-EXEC: btest-diff output.log

+@load base/protocols/conn
+@load base/protocols/ftp
+@load base/frameworks/dpd
+
 # Make sure we're tracking the CWD correctly.
 event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &priority=10
 	{
--- a/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.zeek
@ -1,5 +1,7 @@
 # This tests extracting the server reported file size 
 # from FTP sessions.
 #
-# @TEST-EXEC: zeek -r $TRACES/ftp/ftp-with-numbers-in-filename.pcap
+# @TEST-EXEC: zeek -b -r $TRACES/ftp/ftp-with-numbers-in-filename.pcap %INPUT
 # @TEST-EXEC: btest-diff ftp.log
+
+@load base/protocols/ftp
--- a/testing/btest/scripts/base/protocols/ftp/ftp-ipv4.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-ipv4.zeek
@ -1,6 +1,9 @@
 # This tests both active and passive FTP over IPv4.
 #
-# @TEST-EXEC: zeek -r $TRACES/ftp/ipv4.trace
+# @TEST-EXEC: zeek -b -r $TRACES/ftp/ipv4.trace %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ftp.log

+@load base/protocols/conn
+@load base/protocols/ftp
+@load base/frameworks/dpd
--- a/testing/btest/scripts/base/protocols/ftp/ftp-ipv6.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-ipv6.zeek
@ -1,6 +1,9 @@
 # This tests both active and passive FTP over IPv6.
 #
-# @TEST-EXEC: zeek -r $TRACES/ftp/ipv6.trace
+# @TEST-EXEC: zeek -b -r $TRACES/ftp/ipv6.trace %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ftp.log

+@load base/protocols/conn
+@load base/protocols/ftp
+@load base/frameworks/dpd
--- a/testing/btest/scripts/base/protocols/http/content-range-gap-skip.zeek
+++ b/testing/btest/scripts/base/protocols/http/content-range-gap-skip.zeek
@ -1,9 +1,11 @@
-# @TEST-EXEC: zeek -r $TRACES/http/content-range-gap-skip.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/content-range-gap-skip.trace %INPUT

 # In this trace, we should be able to determine that a gap lies
 # entirely within the body of an entity that specifies Content-Range,
 # and so further deliveries after the gap can still be made.

+@load base/protocols/http
+
 global got_gap = F;
 global got_data_after_gap = F;

--- a/testing/btest/scripts/base/protocols/http/content-range-gap.zeek
+++ b/testing/btest/scripts/base/protocols/http/content-range-gap.zeek
@ -1,6 +1,9 @@
-# @TEST-EXEC: zeek -r $TRACES/http/content-range-gap.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/content-range-gap.trace %INPUT
 # @TEST-EXEC: btest-diff extract_files/thefile

+@load base/protocols/http
+@load base/files/extract
+
 event file_new(f: fa_file)
 	{
 	Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
--- a/testing/btest/scripts/base/protocols/http/content-range-less-than-len.zeek
+++ b/testing/btest/scripts/base/protocols/http/content-range-less-than-len.zeek
@ -1,3 +1,6 @@
-# @TEST-EXEC: zeek -r $TRACES/http/content-range-less-than-len.pcap
+# @TEST-EXEC: zeek -b -r $TRACES/http/content-range-less-than-len.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log
+
+@load base/protocols/http
+@load base/frameworks/notice/weird
--- a/testing/btest/scripts/base/protocols/http/entity-gap.zeek
+++ b/testing/btest/scripts/base/protocols/http/entity-gap.zeek
@ -1,7 +1,10 @@
-# @TEST-EXEC: zeek -r $TRACES/http/entity_gap.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/entity_gap.trace %INPUT
 # @TEST-EXEC: btest-diff entity_data
 # @TEST-EXEC: btest-diff extract_files/file0

+@load base/protocols/http
+@load base/files/extract
+
 global f = open("entity_data");
 global fn = 0;

--- a/testing/btest/scripts/base/protocols/http/entity-gap2.zeek
+++ b/testing/btest/scripts/base/protocols/http/entity-gap2.zeek
@ -1,7 +1,10 @@
-# @TEST-EXEC: zeek -r $TRACES/http/entity_gap2.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/entity_gap2.trace %INPUT
 # @TEST-EXEC: btest-diff entity_data
 # @TEST-EXEC: btest-diff extract_files/file0

+@load base/protocols/http
+@load base/files/extract
+
 global f = open("entity_data");
 global fn = 0;

--- a/testing/btest/scripts/base/protocols/http/fake-content-length.zeek
+++ b/testing/btest/scripts/base/protocols/http/fake-content-length.zeek
@ -1,2 +1,2 @@
-# @TEST-EXEC: zeek -r $TRACES/http/fake-content-length.pcap
+# @TEST-EXEC: zeek -b -r $TRACES/http/fake-content-length.pcap base/protocols/http
 # @TEST-EXEC: btest-diff http.log
--- a/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.zeek
@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
+# @TEST-EXEC: zeek -b -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log

+@load base/protocols/http
+@load base/frameworks/notice/weird
--- a/testing/btest/scripts/base/protocols/http/http-connect-with-header.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-connect-with-header.zeek
@ -1,12 +1,13 @@
 # This tests that the HTTP analyzer handles HTTP CONNECT proxying correctly
 # when the server include a header line into its response.
 #
-# @TEST-EXEC: zeek -C -r $TRACES/http/connect-with-header.trace %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/connect-with-header.trace %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff tunnel.log

@load base/protocols/conn
@load base/protocols/http
+@load base/protocols/ssl
@load base/protocols/tunnels
@load base/frameworks/dpd
--- a/testing/btest/scripts/base/protocols/http/http-connect.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-connect.zeek
@ -1,6 +1,6 @@
 # This tests that the HTTP analyzer handles HTTP CONNECT proxying correctly.
 #
-# @TEST-EXEC: zeek -r $TRACES/http/connect-with-smtp.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/connect-with-smtp.trace %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff smtp.log
--- a/testing/btest/scripts/base/protocols/http/http-filename.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-filename.zeek
@ -1,8 +1,6 @@
 # This tests that the HTTP analyzer handles filenames over HTTP correctly.
 #
-# @TEST-EXEC: zeek -r $TRACES/http/http-filename.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/http-filename.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log

-# The base analysis scripts are loaded by default.
-#@load base/protocols/http
-
+@load base/protocols/http
--- a/testing/btest/scripts/base/protocols/http/http-header-crlf.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-header-crlf.zeek
@ -2,9 +2,8 @@
 # it gets confused whether it's in a header or not; it shouldn't report
 # the http_no_crlf_in_header_list wierd.
 #
-# @TEST-EXEC: zeek -r $TRACES/http/byteranges.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/byteranges.trace %INPUT
 # @TEST-EXEC: test ! -f weird.log

-# The base analysis scripts are loaded by default.
-#@load base/protocols/http
-
+@load base/protocols/http
+@load base/frameworks/notice/weird
--- a/testing/btest/scripts/base/protocols/http/http-methods.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-methods.zeek
@ -1,9 +1,8 @@
 # This tests that the HTTP analyzer handles strange HTTP methods properly.
 #
-# @TEST-EXEC: zeek -r $TRACES/http/methods.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/methods.trace %INPUT
 # @TEST-EXEC: btest-diff weird.log
 # @TEST-EXEC: btest-diff http.log

-# The base analysis scripts are loaded by default.
-#@load base/protocols/http
-
+@load base/protocols/http
+@load base/frameworks/notice/weird
--- a/testing/btest/scripts/base/protocols/http/http-pipelining.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-pipelining.zeek
@ -1,6 +1,8 @@
-# @TEST-EXEC: zeek -r $TRACES/http/pipelined-requests.trace %INPUT > output
+# @TEST-EXEC: zeek -b -r $TRACES/http/pipelined-requests.trace %INPUT > output
 # @TEST-EXEC: btest-diff http.log

+@load base/protocols/http
+
 # mime type is irrelevant to this test, so filter it out
 event zeek_init()
 	{
--- a/testing/btest/scripts/base/protocols/http/missing-zlib-header.zeek
+++ b/testing/btest/scripts/base/protocols/http/missing-zlib-header.zeek
@ -2,5 +2,7 @@
 # include an appropriate ZLIB header on deflated 
 # content.
 #
-# @TEST-EXEC: zeek -r $TRACES/http/missing-zlib-header.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/missing-zlib-header.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
+
+@load base/protocols/http
--- a/testing/btest/scripts/base/protocols/http/multipart-extract.zeek
+++ b/testing/btest/scripts/base/protocols/http/multipart-extract.zeek
@ -1,7 +1,10 @@
-# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/multipart.trace %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: cat extract_files/http-item-* | sort > extractions

+@load base/protocols/http
+@load base/files/extract
+
 event file_new(f: fa_file)
 	{
 	local fname = fmt("http-item-%s", f$id);
--- a/testing/btest/scripts/base/protocols/http/multipart-file-limit.zeek
+++ b/testing/btest/scripts/base/protocols/http/multipart-file-limit.zeek
@ -1,10 +1,10 @@
-# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/multipart.trace base/protocols/http
 # @TEST-EXEC: btest-diff http.log
-# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace %INPUT >out-limited
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/multipart.trace base/protocols/http %INPUT >out-limited
 # @TEST-EXEC: mv http.log http-limited.log
 # @TEST-EXEC: btest-diff http-limited.log
 # @TEST-EXEC: btest-diff out-limited
-# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace %INPUT ignore_http_file_limit=T >out-limit-ignored
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/multipart.trace base/protocols/http %INPUT ignore_http_file_limit=T >out-limit-ignored
 # @TEST-EXEC: mv http.log http-limit-ignored.log
 # @TEST-EXEC: btest-diff http-limit-ignored.log
 # @TEST-EXEC: btest-diff out-limit-ignored
--- a/testing/btest/scripts/base/protocols/http/no-uri.zeek
+++ b/testing/btest/scripts/base/protocols/http/no-uri.zeek
@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -Cr $TRACES/http/no-uri.pcap %INPUT
+# @TEST-EXEC: zeek -b -Cr $TRACES/http/no-uri.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log

+@load base/protocols/http
+@load base/frameworks/notice/weird
--- a/testing/btest/scripts/base/protocols/http/no-version.zeek
+++ b/testing/btest/scripts/base/protocols/http/no-version.zeek
@ -1,3 +1,4 @@
-# @TEST-EXEC: zeek -Cr $TRACES/http/no-version.pcap %INPUT
+# @TEST-EXEC: zeek -b -Cr $TRACES/http/no-version.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log

+@load base/protocols/http
--- a/testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek
+++ b/testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek
@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
+# @TEST-EXEC: zeek -b -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log

+@load base/protocols/http
+@load base/frameworks/notice/weird
--- a/testing/btest/scripts/base/protocols/http/x-gzip.zeek
+++ b/testing/btest/scripts/base/protocols/http/x-gzip.zeek
@ -1,2 +1,2 @@
-# @TEST-EXEC: zeek -r $TRACES/http/x-gzip.pcap
+# @TEST-EXEC: zeek -b -r $TRACES/http/x-gzip.pcap base/protocols/http
 # @TEST-EXEC: btest-diff http.log
--- a/testing/btest/scripts/base/protocols/irc/basic.test
+++ b/testing/btest/scripts/base/protocols/irc/basic.test
@ -1,11 +1,15 @@
 # This tests that basic IRC commands (NICK, USER, JOIN, DCC SEND)
 # are logged for a client.

-# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/irc-dcc-send.trace %INPUT >out
 # @TEST-EXEC: btest-diff irc.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff out

+@load base/protocols/conn
+@load base/protocols/irc
+@load base/frameworks/dpd
+
 # dcc mime types are irrelevant to this test, so filter it out
 event zeek_init()
 	{
--- a/testing/btest/scripts/base/protocols/irc/events.test
+++ b/testing/btest/scripts/base/protocols/irc/events.test
@ -1,10 +1,12 @@
 # Test IRC events

-# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
-# @TEST-EXEC: zeek -r $TRACES/irc-basic.trace %INPUT
-# @TEST-EXEC: zeek -r $TRACES/irc-whitespace.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/irc-basic.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/irc-whitespace.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout

+@load base/protocols/irc
+
 event irc_privmsg_message(c: connection, is_orig: bool, source: string, target: string, message: string)
 	{
 	print fmt("%s -> %s: %s", source, target, message);
--- a/testing/btest/scripts/base/protocols/irc/longline.test
+++ b/testing/btest/scripts/base/protocols/irc/longline.test
@ -1,6 +1,8 @@
 # This tests that an excessively long line is truncated by the contentline
 # analyzer

-# @TEST-EXEC: zeek -C -r $TRACES/contentline-irc-5k-line.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/contentline-irc-5k-line.pcap %INPUT
 # @TEST-EXEC: btest-diff weird.log

+@load base/protocols/irc
+@load base/frameworks/notice/weird
--- a/testing/btest/scripts/base/protocols/irc/names-weird.zeek
+++ b/testing/btest/scripts/base/protocols/irc/names-weird.zeek
@ -1,6 +1,9 @@
-# @TEST-EXEC: zeek -C -r $TRACES/irc-353.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/irc-353.pcap %INPUT
 # @TEST-EXEC: btest-diff weird.log

+@load base/protocols/irc
+@load base/frameworks/notice/weird
+
 event irc_names_info(c: connection, is_orig: bool, c_type: string, channel: string, users: string_set)
 	{
 	print channel, users;
--- a/testing/btest/scripts/base/protocols/krb/krb-service-name.test
+++ b/testing/btest/scripts/base/protocols/krb/krb-service-name.test
@ -1,3 +1,7 @@
-# @TEST-EXEC: zeek -r $TRACES/krb/optional-service-name.pcap
+# @TEST-EXEC: zeek -b -r $TRACES/krb/optional-service-name.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff kerberos.log
+
+@load base/protocols/krb
+@load base/protocols/conn
+@load base/frameworks/dpd
--- a/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test
+++ b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test
@ -4,7 +4,7 @@
 # @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/zeek-config.h
 #
 # @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
-# @TEST-EXEC: zeek -C -r $TRACES/krb/smb2_krb.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/krb/smb2_krb.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 # @TEST-EXEC: btest-diff .stderr

--- a/testing/btest/scripts/base/protocols/modbus/coil_parsing_big.zeek
+++ b/testing/btest/scripts/base/protocols/modbus/coil_parsing_big.zeek
@ -1,11 +1,13 @@
 #
-# @TEST-EXEC: zeek -C -r $TRACES/modbus/modbusBig.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
+# @TEST-EXEC: zeek -b -C -r $TRACES/modbus/modbusBig.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif  | grep "^event modbus_" | wc -l >total
 # @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
 # @TEST-EXEC: btest-diff coverage

+@load base/protocols/modbus
+
 event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
 {
    print "modbus_message", c$id, headers, is_orig;
--- a/testing/btest/scripts/base/protocols/modbus/coil_parsing_small.zeek
+++ b/testing/btest/scripts/base/protocols/modbus/coil_parsing_small.zeek
@ -1,11 +1,13 @@
 #
-# @TEST-EXEC: zeek -C -r $TRACES/modbus/modbusSmall.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
+# @TEST-EXEC: zeek -b -C -r $TRACES/modbus/modbusSmall.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif  | grep "^event modbus_" | wc -l >total
 # @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
 # @TEST-EXEC: btest-diff coverage

+@load base/protocols/modbus
+
 event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
 {
    print "modbus_message", c$id, headers, is_orig;
--- a/testing/btest/scripts/base/protocols/modbus/events.zeek
+++ b/testing/btest/scripts/base/protocols/modbus/events.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -r $TRACES/modbus/modbus.trace %INPUT | sort | uniq -c | sed 's/^ *//g' >output
+# @TEST-EXEC: zeek -b -r $TRACES/modbus/modbus.trace %INPUT | sort | uniq -c | sed 's/^ *//g' >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif  | grep "^event modbus_" | wc -l >total
@ -7,6 +7,10 @@
 # @TEST-EXEC: btest-diff coverage
 # @TEST-EXEC: btest-diff conn.log

+@load base/protocols/modbus
+@load base/protocols/conn
+@load base/frameworks/dpd
+
 redef DPD::ignore_violations_after = 1;

 event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
--- a/testing/btest/scripts/base/protocols/modbus/register_parsing.zeek
+++ b/testing/btest/scripts/base/protocols/modbus/register_parsing.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -r $TRACES/modbus/fuzz-1011.trace %INPUT >output
+# @TEST-EXEC: zeek -b -r $TRACES/modbus/fuzz-1011.trace %INPUT >output
 # @TEST-EXEC: btest-diff modbus.log
 # @TEST-EXEC: btest-diff output

@ -10,6 +10,8 @@
 # case TCP_ApplicationAnalyzer::ProtocolViolation asserts its behavior for
 # incomplete connections).

+@load base/protocols/modbus
+
 event modbus_read_input_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
 	{
 	print "modbus_read_input_registers_request", c$id, headers, start_address, quantity;
--- a/testing/btest/scripts/base/protocols/ncp/event.zeek
+++ b/testing/btest/scripts/base/protocols/ncp/event.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/ncp.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -C -r $TRACES/ncp.pcap %INPUT >out
 # @TEST-EXEC: btest-diff out

 redef likely_server_ports += { 524/tcp };
--- a/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.zeek
+++ b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/ncp.pcap %INPUT NCP::max_frame_size=150 >out
+# @TEST-EXEC: zeek -b -C -r $TRACES/ncp.pcap %INPUT NCP::max_frame_size=150 >out
 # @TEST-EXEC: btest-diff out

 redef likely_server_ports += { 524/tcp };
--- a/testing/btest/scripts/base/protocols/ntp/ntp-digest.test
+++ b/testing/btest/scripts/base/protocols/ntp/ntp-digest.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/ntp/NTP-digest.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/ntp/NTP-digest.pcap %INPUT
 # @TEST-EXEC: btest-diff ntp.log
 # @TEST-EXEC: btest-diff .stdout

--- a/testing/btest/scripts/base/protocols/ntp/ntp.test
+++ b/testing/btest/scripts/base/protocols/ntp/ntp.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/ntp/ntp.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/ntp/ntp.pcap %INPUT
 # @TEST-EXEC: btest-diff ntp.log
 # @TEST-EXEC: btest-diff .stdout

--- a/testing/btest/scripts/base/protocols/ntp/ntp2.test
+++ b/testing/btest/scripts/base/protocols/ntp/ntp2.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/ntp/ntp2.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/ntp/ntp2.pcap %INPUT
 # @TEST-EXEC: btest-diff ntp.log
 # @TEST-EXEC: btest-diff .stdout

--- a/testing/btest/scripts/base/protocols/ntp/ntp3.test
+++ b/testing/btest/scripts/base/protocols/ntp/ntp3.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/ntp/NTP_sync.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/ntp/NTP_sync.pcap %INPUT
 # @TEST-EXEC: btest-diff ntp.log
 # @TEST-EXEC: btest-diff .stdout

--- a/testing/btest/scripts/base/protocols/ntp/ntpmode67.test
+++ b/testing/btest/scripts/base/protocols/ntp/ntpmode67.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/ntp/ntpmode67.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/ntp/ntpmode67.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

@load base/protocols/ntp
--- a/testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
 # @TEST-EXEC: btest-diff out

@load base/protocols/rdp
--- a/testing/btest/scripts/base/protocols/rdp/rdp-client-security-data.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-client-security-data.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
 # @TEST-EXEC: btest-diff out

@load base/protocols/rdp
--- a/testing/btest/scripts/base/protocols/rdp/rdp-native-encrypted-data.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-native-encrypted-data.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
 # @TEST-EXEC: btest-diff out

@load base/protocols/rdp
--- a/testing/btest/scripts/base/protocols/rdp/rdp-proprietary-encryption.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-proprietary-encryption.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT
 # @TEST-EXEC: btest-diff rdp.log

@load base/protocols/rdp
--- a/testing/btest/scripts/base/protocols/rdp/rdp-to-ssl.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-to-ssl.zeek
@ -1,5 +1,6 @@
-# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-to-ssl.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/rdp/rdp-to-ssl.pcap %INPUT
 # @TEST-EXEC: btest-diff rdp.log
 # @TEST-EXEC: btest-diff ssl.log

@load base/protocols/rdp
+@load base/protocols/ssl
--- a/testing/btest/scripts/base/protocols/rdp/rdp-x509.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-x509.zeek
@ -1,5 +1,6 @@
-# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-x509.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/rdp/rdp-x509.pcap %INPUT
 # @TEST-EXEC: btest-diff rdp.log
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-timestamps | $SCRIPTS/diff-remove-x509-key-info" btest-diff x509.log

@load base/protocols/rdp
+@load base/files/x509
--- a/testing/btest/scripts/base/protocols/rdp/rdpeudp-handshake-fail.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdpeudp-handshake-fail.zeek
@ -1,8 +1,10 @@
-# @TEST-EXEC: zeek -r $TRACES/rdp/rdpeudp-handshake-fail.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/rdp/rdpeudp-handshake-fail.pcap %INPUT >out
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff out

@load base/protocols/rdp
+@load base/protocols/conn
+@load base/frameworks/dpd

 event rdpeudp_syn(c: connection)
 	{
--- a/testing/btest/scripts/base/protocols/rdp/rdpeudp-handshake-success.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdpeudp-handshake-success.zeek
@ -1,8 +1,10 @@
-# @TEST-EXEC: zeek -r $TRACES/rdp/rdpeudp-handshake-success.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/rdp/rdpeudp-handshake-success.pcap %INPUT >out
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff out

@load base/protocols/rdp
+@load base/protocols/conn
+@load base/frameworks/dpd

 event rdpeudp_syn(c: connection)
 	{
--- a/testing/btest/scripts/base/protocols/rdp/rdpeudp2-handshake-success.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdpeudp2-handshake-success.zeek
@ -1,8 +1,10 @@
-# @TEST-EXEC: zeek -Cr $TRACES/rdp/rdpeudp2-handshake-success.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -Cr $TRACES/rdp/rdpeudp2-handshake-success.pcap %INPUT >out
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff out

@load base/protocols/rdp
+@load base/protocols/conn
+@load base/frameworks/dpd

 event rdpeudp_syn(c: connection)
 	{
--- a/testing/btest/scripts/base/protocols/rfb/rfb-apple-remote-desktop.test
+++ b/testing/btest/scripts/base/protocols/rfb/rfb-apple-remote-desktop.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/rfb/vncmac.pcap
+# @TEST-EXEC: zeek -b -C -r $TRACES/rfb/vncmac.pcap %INPUT
 # @TEST-EXEC: btest-diff rfb.log

@load base/protocols/rfb
--- a/testing/btest/scripts/base/protocols/rfb/vnc-mac-to-linux.test
+++ b/testing/btest/scripts/base/protocols/rfb/vnc-mac-to-linux.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/rfb/vnc-mac-to-linux.pcap
+# @TEST-EXEC: zeek -b -C -r $TRACES/rfb/vnc-mac-to-linux.pcap %INPUT
 # @TEST-EXEC: btest-diff rfb.log

@load base/protocols/rfb
--- a/testing/btest/scripts/base/protocols/rfb/vnc-scanner.bro
+++ b/testing/btest/scripts/base/protocols/rfb/vnc-scanner.bro
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/rfb/vnc-scanner.pcap
+# @TEST-EXEC: zeek -b -C -r $TRACES/rfb/vnc-scanner.pcap %INPUT
 # @TEST-EXEC: btest-diff rfb.log

@load base/protocols/rfb
--- a/testing/btest/scripts/base/protocols/smb/smb2-write-response.test
+++ b/testing/btest/scripts/base/protocols/smb/smb2-write-response.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/smb/smb2readwrite.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/smb/smb2readwrite.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

@load base/protocols/smb
--- a/testing/btest/scripts/base/protocols/smtp/basic.test
+++ b/testing/btest/scripts/base/protocols/smtp/basic.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/smtp.trace %INPUT
 # @TEST-EXEC: btest-diff smtp.log

@load base/protocols/smtp
--- a/testing/btest/scripts/base/protocols/smtp/one-side.test
+++ b/testing/btest/scripts/base/protocols/smtp/one-side.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/smtp-one-side-only.trace %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/smtp-one-side-only.trace %INPUT
 # @TEST-EXEC: btest-diff smtp.log

@load base/protocols/smtp
--- a/testing/btest/scripts/base/protocols/smtp/starttls.test
+++ b/testing/btest/scripts/base/protocols/smtp/starttls.test
@ -1,6 +1,7 @@
-# @TEST-EXEC: zeek -C -r $TRACES/tls/smtp-starttls.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/smtp-starttls.pcap %INPUT
 # @TEST-EXEC: btest-diff smtp.log
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log

@load base/protocols/smtp
+@load base/protocols/ssl
--- a/Show more
+++ b/Show more